Hello. I’very been browsing some… “questionable sites” of the “adult nature”. One of the biggest free ones, mind you. With AdBlock and Ghostrey on. They still do not prevent some of the popunder ads, though. Usually not an issue. I also knew that these sites can have some malicious ads, but this is a new kind of low.
The pounder was some short, random .ru website. It gave me a blank white page and one of those JavaScript warnings, which told me to click “install” to close the site. Soon after that, the page went fullscreen, and I got a CHROME STORE POPUP, asking me if I wanted to add or deny some random, generic-named addon. There was also an automated Dutch (I have a Dutch browser and live in NL) voice on a loop, saying “Press accept to close the site”. Pressing cancel would just open it again. Basically no way to close it or exit fullscreen.
Eventually I managed to close Chrome from the task manager, and when the session restarted and the site opened again, I closed the JavaScript message and IMMEDIATELY closed the page before the Chrome Store thing popped up.
I have no idea what the AddOn would do, but I assume either open some malware sites, track my activity, or steal passwords saved in Chrome.
Do you guys want the link? I can get it from my history. I can also open it again to get the name of that Chrome addon.
It’s not malware installed on my machine, though. I’m reporting an ad that was trying to install malicious software. I’ve never seen this kind of an attack before, using the Chrome Store to add extensions to a browser.
This type of threat is very common, especially in the scamming industry. The scammer will (ab)use the fullscreen feature of modern browsers and use an image to simulate the real browser. I have not seen one that claims to be a Chrome extension, however.
If you still have the URL of the redirect in your history, please do PM me the details. I’d love to get my hands on a live sample. If possible, link all redirects and not just the final URL.
For your own safety, I’d advise using uBlock Origin as your adblocker (if you’re using older software like Adblock Plus) and uMatrix as the “Chrome version” of NoScript. Both of these extensions are open-source and are highly regarded by many. The problem lies in your trusting of any website with executing JavaScript code. You really shouldn’t do this on certain websites. A script blocker such as uMatrix will help prevent a suspicious redirect from executing malicious code, sometimes even stopping the redirect itself.