There have been several reports of Tech Support Scams that begin with a “Browser Lock” pop-up malware notification that opens in full screen view, making it difficult to close. The pop-up displays a telephone number to call which will lead to the scammer directing you to setup remote screen sharing access through a tool such as teamviewer or logmein. From there the scammer will try to convince you of the threat, request payment for triage and threat removal services, and attempt to setup a backdoor on your system for further extortion.
The following video describes this scam tactic.
Accessed from Microsoft: How to spot a tech support scam
What to do if you encounter this scam
Do not panic! You should never provide a third party remote access to a UNC owned/managed system without prior authorization by ITS or your department IT. Remote access can potentially expose data and authentication credentials.
If you were in contact with the scammer
If you were in contact with the scammer, provided remote access and/or you believe UNC Sensitive Information may be at risk, follow the Information Security Incident Management Standard:
- Remove hands from keyboard. Limit any further interaction with the device to preserve evidence: do not clear browser cache, run AV scan, turn off or reboot the computer. You may disconnect your physical network cable or place your device in airplane mode as a precaution.
- Call 919-962-HELP or, from a separate, trusted device, Report an Issue via help.unc.edu. Specify that the issue is Critical and that UNC Sensitive Information is at risk. Provide a phone number where you can be reached and await further instructions from a UNC Information Security Incident Handler.
- If you have access to another device that was not exposed to the threat actor, change your ONYEN password from the trusted device.
If you provided sensitive personal information (e.g., credit card or other payment information):
- Contact your bank and freeze your card.
- Monitor your credit reports and consider placing a freeze on your reports to limit the impact of identity theft. A Password Manager is very helpful for managing the requisite account passwords and PINs with the major credit bureaus to [un]freeze your credit reports.
- You can report the scam to the FTC and FBI.
If you have not interacted with the scammer or provided remote access
If you’ve encountered the pop-up but have not called the phone number, been contacted by the scammer, provided remote access nor have any other reason to suspect an Information Security Incident involving UNC Sensitive Information, do the following:
- To close the pop-up, press F11 to exit full screen mode. If this does not work, press Ctrl+Alt+Del and bring up the task manager. From the task manager, select the browser processes and “End Task” to force close the browser. Note that re-opening the browser may prompt to recover your prior session and that you’ll need to decline so as not to re-open the pop-up.
- Clear the cache of the browser you were using (Chrome, Edge, Firefox)
- Run a full AV scan.
- Follow-up with 962-HELP (help.unc.edu) and/or your department IT as a regular, non-critical, incident to report the occurrence. Note the approximate time of the pop-up so we can confirm no other suspicious activity related to your onyen account.
What causes the pop-up
There are reports that scammers are using search engine ads of popular brands to deliver the pop-up (i.e., Malvertising; see this report from BleepingComputer). These results may display with the Sponsored or Ad heading above the search result link. Be cautious when using search engines; you can hover to discover to verify the link destination and/or browse directly to the intended site url by typing it into the address field of your browser.
If you encounter one of these you can report them to the search engine provider (e.g., Google). Microsoft also has a mechanism for reporting tech support scams.
🚨 We detected a major malvertising campaign abusing Google Ads.
➡️ Stay tuned for our full report on this campaign. pic.twitter.com/VzAdtgVR3q
— Malwarebytes Threat Intelligence (@MBThreatIntel) July 20, 2022