Hackers are exploiting web advertising networks to trick users into clicking malware through fake pop-up system alerts, according to a recent report by SophosLabs.

The cybersecurity firm in its study ‘Faking it: The Thriving Business of ‘Fake Alert’ Web Scams’ researched and detailed a collection of scams “that exploit web advertising networks to pop-up fake system alerts on both computers and mobile devices.”

According to the study, the goal of the scam was to frighten people “into paying for a solution — to a problem they don’t even have.”

“It’s not exactly a new trick. ‘Scareware’ pop-ups have been used for years to prompt people into downloading fake virus protection and other malicious software, including ransomware,” Sophos explained.

“But the latest variations find other ways to cash in on fake alerts: using them as the entry point to technical support scams or prompting their victims to purchase fraudulent apps or ‘fleeceware’ off a mobile app store,” it added.

These fake alerts, unlike the older scams, also prompt targets to “call back,” saving scammers the hassle of cold calls and voice-phish victims.

“While browser developers have done a lot to make ‘malvertising’ more difficult, ad networks keep finding new ways to pop up content in your device browsers, and scammers continue to take advantage of ad networks to target more vulnerable people. Sophos’ research shows how expansive these ‘fake alert’ fraud schemes and the ecosystem that supports them still are, and how little investment and technical skill are required to run them,” said Sean Gallagher, senior threat researcher, SophosLabs.

Read more:

Related Stories
Researchers warn against a new malware toolset used for industrial espionage

How to spot the scams?

The scams, however, can be easy to spot as similar to standard phishing messages, these pop-ups often contain messages with “strange phrasing, capitalisation, and grammar or spelling mistakes.”

Hackers will sometimes also include a countdown in the message to make victims more nervous and force them into clicking on the malicious message.

Some technical support scams are also likely to play computer-generated voice messages urging targets to take action.

“But all of these scams have one very specific thing in common — they go away when you close your browser,” said Sophos.

However, sometimes, while “mobile fake alerts and similar pages on desktop browsers can be easily closed, ‘browser lock’ support scam pages often use scripts that make it difficult or impossible to close the web browser normally or navigate away from the page.”

These scripts may force the browser window to go into full-screen mode or hide the mouse cursor, making it more difficult to spot. They can also sometimes launch never-ending file downloads or pop up log-in boxes that request a username and password. These scripts may also attempt to capture keystrokes to prevent navigation away from the page with keyboard short-cuts.

“Using Task Manager (on Windows) or Force Quit (on MacOS) may be the only way to escape some of these pages, short of a reboot — that and not allowing the browser to restore pages from the last session when re-launching. However, the best way to prevent most of these attacks is to cut off the ad networks that they rely on,” the report said.