Malware spoofing microsoft hit while using Facebook

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, satrow

broomsticks
Moongazer
Moongazer
Posts: 13
Joined: 2016-01-15, 19:31
Location: USA

Malware spoofing microsoft hit while using Facebook

Unread post by broomsticks » 2019-06-14, 18:09

I want to post some kind of warning-alert for an event I just experienced but don't know where to go.

While using Facebook, I clicked on an article about healthful recipes to open in a new tab.
There were two overlapping windows in the center of the page which I could not close without clicking the Cancel button on the top most dialog box.
The main page background looked like a Microsoft support page.
The message boxes referred to some type of unusual behavior.
I did not really read any of it because I knew it was fake and malicious.
I could not close that tab.

I'm using version 28.5.2 (64 bit) with MX Linux 18.3 and Mint 19.1
I was using MX Linux at the time of the attack.
uBlock Origin was deactivated for Facebook. Don't know why I did that.
The firewall is activated, but no special settings.
I do not use any antivirus with Linux.

Since I have the browser set to start with the previous session tabs, the restart just went to the same page.
I deleted the sessionstore.js file and also the backup.
Also deleted the last (2) saved sessions for Session Manager add-on.

Here are the two addresses from Pale Moon history:

Code: Select all

Name: Microsoft Official Support
Location: http://web-mc53374.xyz/Call-for-Security-Issues1-888-351-4222/call-now2/

Name: Official Support Center
Location: http://web-mc53374.xyz/Call-for-Security-Issues1-888-351-4222/
How should this be reported?
What can be done to block or prevent this type of attack?
Do you have any suggestions?

Thanks.
Linux Mint & MX Linux - PM 64bit | Win 10 - PM 32bit

vannilla
Astronaut
Astronaut
Posts: 618
Joined: 2018-05-05, 13:29

Re: Malware spoofing microsoft hit while using Facebook

Unread post by vannilla » 2019-06-14, 20:32

broomsticks wrote:
2019-06-14, 18:09
How should this be reported?
Probably it should be reported to whoever is leasing the server, but it's probably some company that doesn't care about preventing phising.
broomsticks wrote:
2019-06-14, 18:09
What can be done to block or prevent this type of attack?
Block as many scripts as possible and don't click anything but the button to close the tab/window.
broomsticks wrote:
2019-06-14, 18:09
Do you have any suggestions?
Block as many scripts as possible and don't click anything but the button to close the tab/window.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Malware spoofing microsoft hit while using Facebook

Unread post by Moonchild » 2019-06-14, 21:41

broomsticks wrote:
2019-06-14, 18:09
What can be done to block or prevent this type of attack?
Unfortunately, because the page/site has already been taken down by the responsible host, I can't analyze the type of attack.
Pale Moon already has mitigations against sites spawning repeat dialogs, including abusing auth dialogs (but you have to cancel them 3 times). Without a working proof of concept/attack site, I can't see which kind of attack it was and/or if it needed more attention on our side or not.
vannilla wrote:
2019-06-14, 20:32
Block as many scripts as possible and don't click anything but the button to close the tab/window.
If you want this user to have a totally unusable internet, then suggest something like that. I'm surprised you didn't just suggest to flat-out disable JavaScript altogether...

No, I don't recommend this course of action, myself. But broomsticks can make up their own mind what to do.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

vannilla
Astronaut
Astronaut
Posts: 618
Joined: 2018-05-05, 13:29

Re: Malware spoofing microsoft hit while using Facebook

Unread post by vannilla » 2019-06-14, 21:54

Moonchild wrote:
2019-06-14, 21:41
If you want this user to have a totally unusable internet, then suggest something like that. I'm surprised you didn't just suggest to flat-out disable JavaScript altogether...
I'm well aware that disabling even the tiniest script makes the majority of the web a blank page, and I'll never suggest completely disabling javascript. At best, I'd suggest a content blocker.
Though since broomsticks is using uBlock, I assume something was being blocked already.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24449
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Malware spoofing microsoft hit while using Facebook

Unread post by Moonchild » 2019-06-14, 22:19

You said "Block as many scripts as possible" -- don't be snarky about me advising against THAT.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

broomsticks
Moongazer
Moongazer
Posts: 13
Joined: 2016-01-15, 19:31
Location: USA

Re: Malware spoofing microsoft hit while using Facebook

Unread post by broomsticks » 2019-06-15, 01:55

vannilla wrote:
2019-06-14, 20:32
Block as many scripts as possible and don't click anything but the button to close the tab/window.
I use the Tab Mix Plus extension https://addons.palemoon.org/addon/tab-mix-plus/ and did not have
display Close tab button enabled. I have now enabled that.
Tab Mix Plus is configured to close tab on double-click, but that did not work.
Ctrl+W also did not work.

Moonchild wrote:
2019-06-14, 21:41
Unfortunately, because the page/site has already been taken down by the responsible host, I can't analyze the type of attack.
Thanks, Moonchild.
That's good to know.
I certainly did not want to try checking the site myself.
Moonchild wrote:
2019-06-14, 21:41
Pale Moon already has mitigations against sites spawning repeat dialogs, including abusing auth dialogs (but you have to cancel them 3 times). Without a working proof of concept/attack site, I can't see which kind of attack it was and/or if it needed more attention on our side or not.
Thanks, I'll keep that in mind.
Linux Mint & MX Linux - PM 64bit | Win 10 - PM 32bit

Post Reply