Malware spoofing microsoft hit while using Facebook

[broomsticks]

I want to post some kind of warning-alert for an event I just experienced but don't know where to go.

While using Facebook, I clicked on an article about healthful recipes to open in a new tab.
There were two overlapping windows in the center of the page which I could not close without clicking the Cancel button on the top most dialog box.
The main page background looked like a Microsoft support page.
The message boxes referred to some type of unusual behavior.
I did not really read any of it because I knew it was fake and malicious.
I could not close that tab.

I'm using version 28.5.2 (64 bit) with MX Linux 18.3 and Mint 19.1
I was using MX Linux at the time of the attack.
uBlock Origin was deactivated for Facebook. Don't know why I did that.
The firewall is activated, but no special settings.
I do not use any antivirus with Linux.

Since I have the browser set to start with the previous session tabs, the restart just went to the same page.
I deleted the sessionstore.js file and also the backup.
Also deleted the last (2) saved sessions for Session Manager add-on.

Here are the two addresses from Pale Moon history:

Code: Select all

Name: Microsoft Official Support
Location: http://web-mc53374.xyz/Call-for-Security-Issues1-888-351-4222/call-now2/

Name: Official Support Center
Location: http://web-mc53374.xyz/Call-for-Security-Issues1-888-351-4222/

How should this be reported?
What can be done to block or prevent this type of attack?
Do you have any suggestions?

Thanks.

[vannilla]

How should this be reported?

Probably it should be reported to whoever is leasing the server, but it's probably some company that doesn't care about preventing phising.

What can be done to block or prevent this type of attack?

Block as many scripts as possible and don't click anything but the button to close the tab/window.

Do you have any suggestions?

Block as many scripts as possible and don't click anything but the button to close the tab/window.

[Moonchild]

What can be done to block or prevent this type of attack?

Unfortunately, because the page/site has already been taken down by the responsible host, I can't analyze the type of attack.
Pale Moon already has mitigations against sites spawning repeat dialogs, including abusing auth dialogs (but you have to cancel them 3 times). Without a working proof of concept/attack site, I can't see which kind of attack it was and/or if it needed more attention on our side or not.

Block as many scripts as possible and don't click anything but the button to close the tab/window.

If you want this user to have a totally unusable internet, then suggest something like that. I'm surprised you didn't just suggest to flat-out disable JavaScript altogether...

No, I don't recommend this course of action, myself. But broomsticks can make up their own mind what to do.

[vannilla]

If you want this user to have a totally unusable internet, then suggest something like that. I'm surprised you didn't just suggest to flat-out disable JavaScript altogether...

I'm well aware that disabling even the tiniest script makes the majority of the web a blank page, and I'll never suggest completely disabling javascript. At best, I'd suggest a content blocker.
Though since broomsticks is using uBlock, I assume something was being blocked already.

[Moonchild]

You said "Block as many scripts as possible" -- don't be snarky about me advising against THAT.

[broomsticks]

Block as many scripts as possible and don't click anything but the button to close the tab/window.

I use the Tab Mix Plus extension https://addons.palemoon.org/addon/tab-mix-plus/ and did not have
display Close tab button enabled. I have now enabled that.
Tab Mix Plus is configured to close tab on double-click, but that did not work.
Ctrl+W also did not work.

Unfortunately, because the page/site has already been taken down by the responsible host, I can't analyze the type of attack.

Thanks, Moonchild.
That's good to know.
I certainly did not want to try checking the site myself.

Pale Moon already has mitigations against sites spawning repeat dialogs, including abusing auth dialogs (but you have to cancel them 3 times). Without a working proof of concept/attack site, I can't see which kind of attack it was and/or if it needed more attention on our side or not.

Thanks, I'll keep that in mind.