The IT experts of Barracuda Research discovered CypherLoc, a sophisticated web-based scareware kit, which has reportedly already recorded around 2.8 million attacks. The scammers’ goal is to use these elements to psychologically manipulate the victim into calling a fake technical support number, where operators posing as Microsoft support will try to extort money from them and thus complete the attack. Unlike traditional malware, which infects computer files, this system operates entirely within the browser, using encrypted code that is activated only under very specific browsing conditions, making it difficult for common security systems to detect.
Once running, it turns a normal web page into a full-screen error screen: crashes the browser, plays alarming sounds, and displays the user’s IP address to give the impression of active control over the device. Fake login forms also appear which, while not collecting any data, make the screen more credible and increase the sense of panic when the credentials entered do not solve anything.
How CypherLoc malware works
We are used to thinking that cyber threats always come from an infected file downloaded onto the computer. CypherLoc shows that this is not always the case. In this case, the attack lives entirely in the browser, leaving no traces on the system. This is scareware, i.e. software designed not to damage the device, but to scare the user into taking reckless actions.
It all starts with a phishing email with a link to a seemingly innocuous page. Inside it hides the payload, the operational heart of the attack, which remains encrypted and invisible until certain conditions are met. The mechanism is called hash-gating: the code is decrypted only if a specific fragment is present in the URL address and if the encrypted content passes a cryptographic integrity check via HMAC. If the page is opened by a scanner or in a sandbox (the virtual environments used by security analysts) the payload does not fire and the page simply displays a blank screen, making the attack invisible to analysis tools.
However, when all conditions are met, a full-screen interface is shown. From now on, every click, every go to full screen, and every page reload triggers alarm sounds. There is no actual damage to the computer, but the combination of these effects – visual, aural and interactive – creates a convincing illusion of a system crash.
If the user tries to examine the page with the browser’s developer tools, CypherLoc responds by initiating a continuous cycle of reloading assets, restarting media streams, and layout recalculations, sending the browser into a tailspin and reinforcing the impression that something serious is actually happening. The only apparent way out is the tech support number prominently displayed on the screen. Whoever calls him finds on the other end a scammer pretending to be a Microsoft operator, ready to complete the deception by trying to extort money.
How to protect yourself from the blocked browser scam
Defending yourself from this type of attack presupposes the use of both adequate technical tools and a good dose of awareness. On the technological front, it is essential to equip ourselves with effective anti-phishing solutions, supported by security systems for web browsing and for the protection of devices connected to the network.
On a purely psychological front, the most important rule is to ignore supposed security alerts that block your browser, ask you to call a support number, or require you to submit personal information (such as credit or debit card information) to resolve the problem.
