4

I was recently browsing online when I came across this page:

enter image description here

When I chose to close the tab, I received this message:

enter image description here

And after choosing "Leave this page" twice, I receive this message:

enter image description here

Choosing OK reverts back to the first message. It appears the only way I can close this tab is to force close Internet Explorer. I already know about scams like this; they show you your Event Log while declaring any errors are a sign of malware, then they talk you through installing remote control software, where they then talk you through handing out your credit card information, changing your log in password, and also doing god knows what else.

How can this type of hijacking be avoided? I am running Internet Explorer with Windows 8.

dan
  • 3,033
  • 14
  • 34
motoku
  • 231
  • 2
  • 12

3 Answers3

5

I would suggest using Firefox with NoScript or comparable setup.

NoScript allows you to monitor scripts loaded from websites and selectively allow certain JavaScript to run. That way you can avoid dubious scripts from running. It is especially useful as many malware is not hosted on the website itself , but often through ads or other third party content.

Other than that it is always a good idea to avoid shady websites, have AV product that is up-to-date, always install patches for your browser and OS.

In case you do need to visit websites with questionable reputation, you might want to use a VM with correct configuration to avoid infections of the host. This is not 100% secure but it is pretty good against average threats.

On the contrary of begueradj comment using NoScript prevents drive-by-downloads, when properly configured. Drive-by-downloads use exploits in the browser or it's extensions. Such exploits can be distributed through e.g. JavaScript, Java, Flash, Silverlight among others.
NoScript is able to monitor all content that is referenced and attempted to load by a website you are visiting. Such content can be disallowed and then is not loaded and of course not executed.
It also tries to protect against XSS (Cross-Site-Scripting), CSRF (Cross-Site-Request-Forgery) and clickjacking. Take a look at NoScript's website.

If you whitelisted a site that hosts exploits then of course NoScript cannot protect you (you allowed the execution of scripts manually). This is why you should also follow the other security guidelines.

John
  • 997
  • 5
  • 14
  • 5
    I do not know for IE, but Firefox implements a control over the popups opened by a webpage. First in case the website uses a "suspicious" way to open the popup it is directly blocked and the user must explicitly allow it, but more importantly starting from a certain amount of successive popups opened by the website Firefox adds a supplementary checkbox above the *OK* button allowing the user to block any further popup from this site. – WhiteWinterWolf Aug 08 '15 at 10:13
  • 1
    @begueradj you seem to be misinformed about NoScript. It does prevent drive-by-downloads and tries to minimize the risk of clickjacking. NoScript does not simply deactivate JavaScript, you can selectively white- and/or blacklist websites and scripts. You can also disallow certain html tags, block Flash and much more. Also OPs questions was "How can this type of hijacking be avoided?". I answered that. – John Aug 08 '15 at 11:26
  • 1
    Please keep comments relevant and polite folks. – Rory Alsop Aug 10 '15 at 14:10
4

How can this type of hijacking be avoided? I am running Internet Explorer with Windows 8.

Switch to Google Chrome. This has the following option which becomes active when repeated dialogue boxes are displayed:

Chrome alert box

Selecting the checkbox will help prevent a malicious webpage from holding your current browser session to ransom.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
2

First of all, the phone number that appears on the message alarms appears to be used by nefarious people as you can read for example here.

This is said, I want to describe the scenario you experienced according to the behavior you witnessed:

Certain compromised websites could lead to malware installation on your computer by simpling visiting them and without noticing anything suspecious. Other websites can perform the same goal by poping-up annoying windows that whether you click on Ok or Cancel or even click on the close corner X could trigger malware installation (which thing is your case). In both cases the scenario is called drive-by download attack which simply exploits the vulnerabilities of your browsers or the plugins you installed within them. Lot of computers become zombies using this schema or simply have been infected by adware, spyware or other malware types.

This is not a fiction. May be one of the best examples I could mention is the famous PHP.net website that you may used already if you have developed in PHP. Thus, on 24-Oct-2013, 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware onto compromised systems. Also, on June 2011, Amnesty International‘s homepage served malware that exploits a recently-patched vulnerability in Java.

Check if no extensions has been added to your IE browser without your agreement (you can do that depending on your IE version). If so then:

  1. The first thing you need to do is to disconnect your machine from Internet. 2. Then run a full and deep scan on your machine with all AV software you have.
  2. Even if you do not succeed to find anything suspicious, then scan your ports during Internet connection.

This is said, for the sake of your safety:

  • Do not surf untrusted websites (without valid certificates)
  • Do not use download managers that are easily compromised to download malware in the background process
  • Clear always your browsing activities (cookies, sessions ...)
  • Avoid popular websites that are the first targets used to spread malware (porn websites ...)
  • If you are prompted to use your credentials for a given website then be sure of what you are doing.
  • Use free but powerful services such as StopBadWare to check the safety of websites you want to use
  • Best of all, use virtual machines for surfing on websites you do not trust.
  • 3
    I have to disagree on the "annoying windows" part. Usually those do not install malware on their own, they try to trick you into installing it yourself as OP already described. Yes, they might try to exploit your browser right-away, but raising all warning flags by popping up windows over and over is not the best way to silently sneak an exploit into your system. – John Aug 08 '15 at 09:45
  • That is exactly what I am saying. What OP described is the one requiring user interaction. Although it can indeed happen that they still try to exploit your browser and show pop-ups. It just does not make much sense if they have exploits at their hand, why would they even raise suspicion by flashing bright warning lights. – John Aug 08 '15 at 09:54
  • I disagree on the part where clicking on "OK", "Cancel" or "X", definitely triggers malware installation. And the case OP described is not drive-by-download, it is manual malware installation guideline. – John Aug 08 '15 at 10:04
  • drive-by-downloads are either using JavaScript, Java, Flash or other files/scripts/programs being interpreted and executed. As NoScript allows to deactivate the loading of such content, it does protect (with correct configuration) against drive-by-downloads. It also tries to protect against XSS. To avoid clickjacking and CSRF it implements ABE. – John Aug 08 '15 at 11:33
  • 1
    Oh dear. For some reason I never thought of checking my plugins... formatting. – motoku Aug 09 '15 at 02:06
  • @MotokoKusanagi I hope you're being sarcastic. Otherwise that would be a bit drastic. – John Aug 09 '15 at 11:35