Iframes are now being Exploited by Tech Support Scammers as a part of their Latest Campaign!

Tech support scammers have been in the news for a long time now. They never fail to come up with creative ways attack a target system or browser. Now, they are using iframes to lock browsers. Users are alerted with a message and are also provided with a hotline, through which they can reach out to “tech support”. The number actually leads to the scammers.

These scammers also take into account, the psychological effect on someone if they come to know that their system has been infected or blocked. Genuine looking pop ups are used to display warnings and users are coaxed into calling the displayed support number to resolve the issue.

Trend Micro’s Samuel p Wang (Fraud Researcher) notes that the new technical support scam (TSS) campaign makes use of URLs displaying webpages that genuinely look like Microsoft tech support pages. Once any of the URL is entered, the users get stuck in a loop. They will either see a user authentication pop-up or a message that will coax them into reaching out to helpline.

The OK and Close buttons on the authentication pop-up don’t work while the Cancel button will redirect the user back to the URL.

Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

As discussed earlier, the campaign makes use of iframes i.e. HTML documents rooted within other HTML documents. Iframe is set as the page’s showLogin. It is displayed once the URL is accessed. Iframe’s contents are simply the URL of authentication page and this is why users are redirected to the URL.

The campaign makes use of adaptive authentication pop-ups which can easily adjust according to the browser users have opened.

According to Wang, the URLs are changed typically 12 times every day and were accessed nearly 575 times from 1st April to 19th April.


Over the last year, many scammer groups have surfaces with creative campaigns such as making use of JavaScript to claim system resources and putting victims in a loop, and many other campaigns that you should read about.

As per Symantec, these TSS campaigns are using complicated schemes to prevent detection and getting blocked. Some of these schemes are Bade64 encoding, AES encryption etc.

Lastly, Trend Micro researcher suggests users that if they ever fall prey to these attacks, they can simply close the browser through Task Manager. They can also verify (after searching for legitimate sources) whether their systems and devices are secure or not.

Additionally, Trend Micro has a full list of all the URLs used in the iframes TSS campaign.

Read next: How to Spot Social Media, Email and Internet Scams (infographic)

Featured photo: Rawpixel

No comments:

Post a Comment