Tech support scammers leverage “evil cursor” technique to “lock” Chrome

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

Tech scammers are constantly coming up with new techniques to make users panic and seek their bogus services. The latest one, documented by Malwarebytes researchers, has been dubbed “evil cursor”.

“Evil cursor”

The trick works against a recent version of Google Chrome (69.0.3497.81) and prevents the victims from closing a tab or browser window by clicking on the “X” in the upper right corner.

The victims believe that they are pressing the “X”, but code inserted in the malicious page effectively turns the cursor into a large box and the “click” action is applied to a different part of the window, where it can’t perform any action.

evil cursor

The researchers have flagged the issue to the Chromium team (Google Chrome is based on the open source Chromium browser) and they are now debating on how to close that particular avenue for deceit.

Partnerstroka campaign

“This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance,” Malwarebytes researcher Jérôme Segura explained.

“Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.”

The “evil cursor” trick was first leveraged by a scam group the researchers have dubbed Partnerstroka, but it’s likely that other scammers are also using it by now.

evil cursor

Researchers have been tracking Partnerstroka’s tech scam campaign for a while now, and they are not missing a beat: the landing (“browlock”) pages look very professional, no matter which browser the victims use they can identify it and they know how to “lock” the screen and make them panic, new “browlock” domains are constantly being registered and victims are redirected to the latest one, etc.