##Update:## Additional information about this campaign:

The following malicious pages are active at the time of writing:








The following pages were contained in the emails themselves, and redirect to the malicious pages:










The following emails were received:


Very common browser locker/text support scam setup. The malicious pages in this campaign are not sophisticated. If the user has not clicked anywhere on the page, they can simply navigate away. If they have, the page will become full screen, and it will require the use of keyboard shortcuts to open a task manager and terminate the browser process.


The email, received July 26, 2017 was purporting to be a Facebook password reset link. The sender email was unrelated to the source IP of the message so it was redacted.

The header of the email shows a source IP address of This address resolves to a Vietnamese domain that appears to be a restaurant website. Excuse my lack of Vietnamese language skill.

The link goes to a domain csasesores[.]com[.]ar/psychologically[.]php. The page is a simple javascript redirect that is obfuscated. The comment in the code below shows what is generated by the method:

This kicks of a chain of redirects, presumably for ad revenue generation (line wraps for readability):


http://tipforso.com/d/r6t0b27039?rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc= 45894_3ee488cf0a1ea2296c4bc36fbf092837_20d8d3b76a136b7cbd7084b33ac8d6fc1501110506.2487_205_02&subid=NDAxMzM2LU1qVXdOekUz

http://blobar.org/d/r6t0b27039?k=b70be0c41fa291af6fadfe5320455f86.1501109837.907.1&rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc=45894_3ee488cf0a1ea2296c4bc36fbf092837_ 20d8d3b76a136b7cbd7084b33ac8d6fc1501110506.2487_ 205_02&subid=NDAxMzM2LU1qVXdOekUz&r=http%3A%2F%2Fcsasesores.com.ar%2Fpsychologically.php&z=420

The final request is redirected back to the original domain, with a GET parameter that (I assume) triggers the final redirect to a variety of generic browser lock pages. In addition to the visual components, audio of a computer generated voice warns the user that their sensitive data is being transmitted to "hackers":

The following code is from one of the lockers. They appear well known, and have been previously submitted to VirusTotal and malware sharing sites. Some extraneous lines are omitted and the comments provide a summary of the functionality. The first image is the main "locking" component, an alert dialog that is created repeatedly:

Interestingly, there is a google analytics object embedded in the pages. It can be seen in the last image. It is possible that this object could help to identify the author. The code contains an iframe that is programmatically directed to the following URL:

That IP is associated with the domain groovyshop.xyz. Directly accessing the domain resulted in a 404.

The pages are served by Amazon Web Services at the following URLs:




One page was hosted at a different URL, hosted by GoDaddy, using a free domain name from Freenom, a company in the Netherlands:


The Actor

The only trail (that my limited PI skills discovered) was the Google Analytics object seen above. The following WHOIS lookups on the associated domains described above may or may not be useful:

Virus Total reports for the various domains and IP addresses:

IP Report:

VirusTotal - associated IP

VirusTotal - csasesores.com.ar

VirusTotal - GroovyShop.xyz


These types of campaigns are exceedingly common. Non-savvy users may get roped into calling the fraudulent tech support numbers and end up falling victim to a typical support scam. No malware was obtained directly from these emails, but it is likely that anyone allowing remote access to a tech support scammer may fall victim to an infection.

Get honeypotted? I like spam. Contact Us Contact Us Email Email ar.hp@outlook.com email: ar.hp@outlook.com