Den Delimarsky

I am an engineer working on API documentation, security and machine learning.

github twitter linkedin email rss
Tech Support Scam Site - Beware of Jammed Safari
Feb 6, 2018
3 minutes read

Recently I’ve been reading a tech site on my iOS device when a new tab opened and went into the background - something I’ve seen before caused by rogue ads that are fetched via normal means (e.g. embedded in a legit page), so my next steps were not unusual - go to the tab and close it. Here is what I faced:

Safari locked by a tech support scam

Once the tab opened, I instantly recognized it as one of those tech support scams. Clearly they want to automatically call whatever number it is programmed to call, which I can only assume will go to one of those call centers where you will be asked to provide some private information to unblock the phone from some scary virus that might be stealing your info from your iPhone.

To add the vibe of legitimacy, the site also pretends like it’s Apple, and points out that it detected “illegal activity” - laughable, no?

Looking closer at the URL:

www.security-breach-info.info/11/index11.html?phone=SUCKIT

The phone number here is deliberately masked by me into something that nobody will call, and obviously you can see it in the screenshot above. Ingenious. So what happens if I cancel out and don’t call anything?

Safari locks up completely. Given that it’s sandboxed and no external process can affect other processes, I can just exit out:

Exit Safari

But what is happening that Safari is being jammed to a dead-end where, if left open, it just crashes? Apparently whoever owns the site, created some malicious JavaScript that runs in a loop - this can be inspected by using an external view-source tool:

Bad JS

Looks like your run-of-the-mill script kiddie stuff, where you lock the browser by overloading the JS engine. Cool, so time to report this domain for pretending to be someone else, right?

A bit of a WHOIS magic and we get the information on the domain owner, and reveals that the domain was registered on GoDaddy:

WHOIS information on domain owner

Ideally, we should be able to contact GoDaddy and report domain abuse, so that’s what I did:

GoDaddy contact

I got a canned response that mentioned that the current abuse email is just for general complains, and that I need to assign a “bucket” to my report, depending on which I need to file the report to the appropriate channel. Which I did:

GoDaddy contact

And then there was no response.

The GoDaddy policy is that they don’t follow-up on reported domain abuse cases, which is fine, however, today, at the time of publication, the domain is alive and well, still with GoDaddy, almost 3 weeks after the original report. If you know a better way to report it, please let me know, because while tech-savvy people can see what this is about, those that aren’t are likely to get scammed.


Back to posts