top of page

Updated WoofLocker Toolkit Leveraged for Tech Support Scams

Cybersecurity specialists have scrutinized an enhanced variety of a refined digital fingerprinting and redirection instrument known as WoofLocker, chiefly designed to execute tech support scams. Initially recorded by Malwarebytes in 2020, this elaborate traffic steering scheme adopts JavaScript incorporated within infiltrated websites. It conducts anti-bot and web traffic filtering evaluations to utilize subsequent JavaScript that takes users to a browser locking page or "browlock".

The redirection component then employs steganographic subterfuges to hide the JavaScript code within a PNG image, which is activated only once the vetting process is judged successful. Alternatively, if any user is determined as a bot or uninteresting traffic, a dummy PNG file bereft of malevolent coding is utilized. WoofLocker, also known as 404Browlock, obtains this name due to the fact that visiting the browlock URL without the suitable redirection or one-time session key leads to a 404 error page.

Malwarebytes’ recent analysis demonstrates that the campaign is still in force. The campaign's modus operandi remains largely unaltered, however, the supporting infrastructure now demonstrates increased resilience against potential dismantling attempts. Ascertaining and understanding the redirection mechanism has become more challenging owing to the implementation of additional fingerprinting checks. These are used for detecting the existence of virtual devices, specific browser extensions, and security tools.

Prominent among the websites employing WoofLocker are adult-content sites. The infrastructure is heavily dependent on hosting providers based in Bulgaria and Ukraine, offering the threat actors amplified protection from take-down attempts. The predominant objective of these browser lockers is to coax targeted victims into seeking assistance to troubleshoot (fabricated) computer issues. This paves the way for gaining remote control over victims’ computers, and subsequently generating an invoice advocating for a security solution.

Depending upon third-party fraudulent call centers, the threat actor behind the traffic redirection and browlock earns remuneration for each successful lead. Although the precise identification of the threat actor remains undiscovered, evidence indicates that preparations for this campaign have been in progress since 2017.

In contrast to other campaigns dependant on acquiring advertisements and addressing hosting providers and registrars in an arcade-style format, WoofLocker presents as a highly stable and low maintenance strategy. The malevolent code has been hosted on compromised websites for years while leveraging reliable registrar and hosting provider services.

It’s noteworthy that many scams aim at young users, seducing them into downloading apps, malware, or surrendering personal details in exchange for illusory rewards on gaming platforms like Fortnite and Roblox. Ensure to stay tuned for your cybersecurity news, insights, and tips.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page