• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

System :  HP Pavilion 64 bit
OS:   Windows 10 Home Version 1607  Build 14393.1358 (current at time of attack)
Browser :  Firefox 54.0 (current at time of attack)
Norton Security 22.9.4.8 (current at time of attack, including updates)

While working in Firefox on 6/26/17  at 1:12 PM EDT (Facebook and Yahoo Mail tabs open in one window and an MLB.com ballgame running in another Firefox window), a new tab suddenly opened itself in Firefox -- I did nothing to open the new tab -- and a Norton Security message simultaneously appeared saying an intrusion attack had been blocked. The new tab was labeled "Security Update Error 0xB6369834" and page display was a red screen purporting to be Windows Defender and saying "Real-time protection was turned off. You should turn it on."  Also on the screen was an option to perform a scan and a Help Desk telephone number to call  (+1 855 979-6679).   Of course I did not click on anything on the screen and tried to close the tab and Firefox after taking photos of the screen.  Firefox did would not close normally, I had to use the Windows Task Manager to close out.  In all, Norton Security History reported 18 identical blocked intrusions over a 13 minute period.  The final Norton Security report for this incident reads as follows:


6/26/2017 1:25:14 PM
Severity: High
Activity: An intrusion attempt by 200.7.102.13 was blocked.
Status: Blocked, No Action Required
IPS Alert Name:  Web Attack: Fake Tech Support Website 16
Recommended Action:  No Action Required
Attacking Comuter:  200.7.102.13, 80
Attacking URL:  13-555x10000x2-virus.com/en/report.php?id=KzEgKDg1NSkgOTc5LTY2OTc&lzsrzf=xdstas,
Source Address:  200.7.102.13
Traffic Description: "TCP, www-http"

Of course I ran both quick and full scans immediately.  Norton Security reported my computer was clean.

My question is, simply: "What happened?"

I have researched the Web for info on such intrusion attacks, but cannot find a satisfactory answer as to how Firefox opened the new tab with the fake Windows Defender message and obvious malware clickbait and tech support scam telephone number.  So I wonder what triggered this attack.  I cannot think of anything that I did overtly.  Did the trigger come from something in Facebook or Yahoo or the MLB.com sites that I had open in Firefox or might it have been something latent on my PC -- although my PC has always come up clean on regular daily Norton scans.  Was this due to some vulnerability in Firefox itself or the current Windows 10 version?  

Norton protected me, for which I am thankful -- well, that is what I paid for.   Nothing unusual has happened since, I am just curious as to what happened and why, and I cannot find a good answer on the Web.

Grateful for any explanation.  Thanks in advance.

Replies

Kudos1 Stats

Re: Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

Most likely a malicious ad on one of the websites you had open used JavaScript to redirect to the malicious link.  Use of an ad blocker or NoScript can help to prevent these sorts of things.

Kudos0

Re: Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

SendOfJive: Thank you for prompt reply.  I understand re ads and links of any kind.  I should have been more clear in my post (when I said " I did nothing to open the new tab" & "I cannot think of anything that I did overtly") that I did not click on any ads (I NEVER click on ads) or any links from any open webpages.  In addition, I had (and keep) Flash Player set to "Ask To Activate" (except to load an MLB.com game where it must be set to "Always Activate" to load -- I reset to "Ask To Activate" as soon as the game loads) and I use Adblock Plus.  I have used NoScript in the past, but did not have it installed at the time of the attack and do not now have it installed (I will likely re-install NoScript).  Java is not installed anywhere on my PC; but, as we both know,  JavaScript is completely different from Java, so JavaScript could be the culprit, but again I still don't know how unless via either Facebook, Yahoo, of MLB.com without ANY action on my part.  I have Norton Safe Search installed and all of the websites that I had visited prior to this incident were green lit by Norton.  I can find nothing in my Firefox history that indicates a suspicious URL other than the attacking intrusion that was blocked.  My knowledge here is limited, so I must ask: Can a webpage ad redirect me to or open a new browser tab simply by being present on a webpage and without my clicking on the ad?  If so, then it must have happened from one of the Norton "Safe"-rated pages that I had open or had recently visited, which is rather disconcerting. 

Other information:  I have the Facebook Purity extension installed in Firefox and, following the attack, I have installed the uBlock Origin extension to Firefox.  I understand using both Adblock Plus and uBlock Origin is somewhat redundant and resource consuming, but that does not seem to present any problem to my PC so far.   NoScript is much more intensive and requires constant user interaction, but that may be worth the trouble to prevent such attacks.  But I still don't quite get how such attacks are generated from "safe" pages without a user click on a visible or hidden link.  I did find some explanatory help & tips re this subject (exploit kits and drive-by intrusions) at this "BleepingComputer" webpage:
https://www.bleepingcomputer.com/forums/t/578697/can-you-get-a-virusmalw...

Thanks again.

Kudos1 Stats

Re: Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

When you load a webpage, you are often (but not always) also loading as many as dozens of third-party websites, such as advertising distributors, web analytics companies, etc.  It is always possible that either the original site, or one of the third-parties, has been compromised and JavaScript has been embedded that directs to a site hosting malware.  Like all other site rating services, Norton is not real-time, and a site may have been hacked since it was last tested for threats.  Malicious ads can surreptitiously slip into a rotation at any time.  And yes, JavaScript can open a new tab by directing the browser to the malicious IP address.  That is a fairly common occurrence and would be the most likely explanation for what happened.

Kudos0

Re: Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

SendOfJive -- Once again a great thank you. As I said, I am not very knowledgeable, but that is pretty much what I expected, disconcerting as it may be. I am now running NoScript again in spite of the annoyance and extra time it takes in loading and reloading pages. I will have to learn how to use NoScript more efficiently and effectively. Some Web discussions mention uMatrix as an alternative Firefox add-on to help prevent exploits and drive-bys, but I have used NoScript before and am more familiar with that extension. Thanks again. I believe this completes my quest for information on this issue. Great help here.
Kudos1 Stats

Re: Drive-by Intrusion Blocked - Fake Tech Support Website 16 - Question re how intrusion occurred

Once you have configured NoScript to allow the safe sites that you frequently use, it really becomes much less inconvenient to use over time.  Eventually you get to a point where temporarily allowing a limited number of domains on unfamiliar websites when necessary becomes pretty intuitive and routine.

This thread is closed from further comment. Please visit the forum to start a new thread.