Firefox Bug and Fake Technical Support Page Scam Overview
Fake technical support scammers are exploiting a recently discovered Firefox vulnerability to overload CPUs. Fake tech support scam pages have been common for a considerable amount of time, but over the past year these scammers have been exploiting web browser vulnerabilities more often. The advantage for the scam artists is that they can design a web page which can be difficult to close potentially causing victims to panic.
Tactics, Techniques and Procedures
Getting the obvious out of the way, these scammers use the basic human emotion of fear to trick users who aren’t paying attention to phish for credentials or other forms of confidential information.
The vulnerability being utilized here has a rather short implementation time from the attacker’s perspective seeing as the proof of concept code (see below) is only a few lines of Javascript. The code renders the Firefox web browser unable to close. Similar code has been deployed previously on multiple browsers, Google Chrome specifically. Implementing such Javascript causes the browser processes to eat up the CPU’s resources resulting in a fully utilized processor.
The only way to close the Firefox browser once this has occurred is to shut down the process using a tool like Task Manager.
Following are software versions affected: Firefox 70.x Stable, 71.x Beta, and 72.x Nightly.
Impact
- Could result in a social engineering situation where the user calls the phone number on the screen and potentially gives away sensitive information such as user credentials
- May cause unwanted resource consumption on the affected host.
Recommendation
Consider:
- Providing user/security training to help employees navigate social engineering scenarios
- Perform regularly scheduled patch roll-outs to avoid potential exploitation of vulnerabilities on the network
- Reset user passwords if evidence presents itself that credentials were leaked to unauthorized third parties
- Use the bug tracking link below to check for the latest patch release
Sources
IBM X-Force Exchange Post: https://exchange.xforce.ibmcloud.com/collection/Firefox-Browser-Lock-Bug-Abused-By-Tech-Support-Scammers-11d3006352e54aeba0f7a809721c7980
Supporting Documentation:
- Bleeping Computer Article: https://www.bleepingcomputer.com/news/security/tech-support-scammers-are-abusing-a-new-firefox-browser-lock-bug/
- Bug Tracking: https://bugzilla.mozilla.org/show_bug.cgi?id=1571003
- Proof of Concept Code: https://bugzilla.mozilla.org/show_bug.cgi?id=1593795
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by our own CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
