Zscaler ThreatLabz documented a surge in tech-support scams that coerce users into allowing browser notifications and then abuse Windows Action Center to deliver fake infection alerts and full‑screen scare pages. Attack chains commonly start from pirated streaming sites or fraudulent X posts, use browser push permissions to send notifications, and employ JavaScript to lock the page and play alarm audio to force victims to call scam numbers. #WindowsActionCenter #ZscalerThreatLabz
Keypoints
- Scammers prompt users (via pirated streaming sites or X posts) to allow browser notifications; allowed domains can push notifications even when the site is inactive.
- Browser push notifications are delivered into the Windows Action Center and used to lure users back to scam pages that claim system infections.
- Scam landing pages often run JavaScript to disable closing/minimizing, block right-click and keystrokes, and present full‑screen fake alerts with alarm audio.
- Attackers use fake “robot verification” (captchas/checkboxes) to feign legitimacy before requesting the notification permission.
- Many malicious hosts are served via Amazon CloudFront or DigitalOcean (with DigitalOcean app subdomains often using marine-animal names).
- Zscaler detects these as HTML.Phish.TechSupport and enumerated numerous malicious domains, streaming sites, and fake security vendor pages.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial access via malicious websites leading to permission prompts to push notifications. [ ‘Attack chains commonly start from pirated streaming sites or fraudulent X posts.’ ]
- [T1566] Phishing – Trick users into granting browser notifications; include fake verification to look legitimate before requesting permission. [ ‘Scammers prompt users (via pirated streaming sites or X posts) to allow browser notifications; Fake “robot verification” (captchas/checkboxes) to feign legitimacy before requesting the notification permission.’ ]
- [T1036] Masquerading – Redirected scam pages impersonating vendors. [ ‘Redirected scam pages impersonating vendors – yourtopdefencebulwark.site’ ]
- [T1562] Impair Defenses – JavaScript to disable closing/minimizing, block right-click and keystrokes, and present full-screen fake alerts with alarm audio. [ ‘JavaScript to disable closing/minimizing, block right-click and keystrokes, and present full‑screen fake alerts with alarm audio.’ ]
Indicators of Compromise
- [URL] Example malicious push redirect endpoints – dzz27sptilkop[.]cloudfront[.]net/werrx01/?phone=+XXXXXXXXX, d2amlsdxhfbfr1[.]cloudfront[.]net/?number=+1-XXXXXXXXX
- [DigitalOcean app domains] Notification‑permission landing pages – sea-turtle-app-yb2h9[.]ondigitalocean[.]app/?number=XXXXXXXXX, lobster-app-3vokw[.]ondigitalocean[.]app/?number=XXXXXXXXX (many other marine-named subdomains)
- [Domains in X posts] Redirect domains used in social posts – keewoach[.]net, whulsaux[.]com, and other listed domains
- [Streaming/streamer sites] Newly registered pirate/streaming sites used as initial vectors – worldsports1[.]live, foreverstream[.]xyz (and several others)
- [Fake security pages] Redirected scam pages impersonating vendors – yourtopdefencebulwark[.]site, keepsafetycenter[.]com
- [Social accounts] Example X (formerly Twitter) accounts posting malicious links – Gracie Walker @GinaSloan30632, Amy Day @DayAmy95254