Back to Reports
MEDIUM SEVERITYRESOLVEDVerified ReportMalware

Fake Antivirus Popup Leads to Browser Lock

Anonymous Reporter
2024-01-30
Browser
203
Upvotes
59
Comments
2,980
Views
112
Shares
$0 (prevented)
Amount Involved / Potential Loss

Report Summary

Browser popup claimed virus infection, locked browser until calling fake support number.

⚠️ Warning Signs Identified:

  • • Pressure to act quickly without time for consideration
  • • Requests for payment via unusual methods (gift cards, cryptocurrency)
  • • Poor grammar and spelling in communications
  • • Email addresses that don't match company domain

Full Report Details

Fake Antivirus Browser Lock Scam

Incident Timeline

Time: January 30, 2024, 8:45 PM Activity: Researching travel destinations Site Visited: Legitimate travel blog (likely compromised) Trigger: Clicked on image gallery

Attack Sequence

Initial Infection

  1. Pop-up: "CRITICAL VIRUS DETECTED" covering entire screen
  2. Audio: Loud alarm sound (couldn't be muted)
  3. Visual: Fake Windows Defender interface with moving scan
  4. Lock: Browser controls disabled, Alt+F4 blocked

Fake Alert Content

  • "Microsoft Security Alert": Windows Defender has detected 7 trojans
  • "Threat Level": Severe (red exclamation marks)
  • "Affected Files": System32 files listed
  • "Action Required": Call support immediately: 1-800-XXX-XXXX
  • "Warning": Do not close browser or data will be corrupted

Technical Analysis

Malicious Code

  • Method: JavaScript browser lock
  • Escape Prevention:
    • Disabled right-click
    • Intercepted keyboard shortcuts
    • Prevented tab/window closing
    • Fake warning on escape attempts
  • Persistence: Local storage used to maintain lock

Domain Investigation

  • Compromised Site: travel-adventures-blog.com
  • Injection Point: Ad network script
  • Payload Source: malicious-cdn[.]com/av-popup.js
  • Duration: Active for 3 hours before cleanup

Resolution Steps

Immediate Actions

  1. Browser Closure: Task Manager → End Chrome process
  2. System Scan: Ran Malwarebytes (no threats found)
  3. Browser Reset: Cleared cache, cookies, reset settings
  4. Number Research: Found reports of fake Microsoft support

Follow-up Actions

  1. Reporting:
    • Notified travel blog owner
    • Reported to Google Safe Browsing
    • Submitted to Microsoft Security
    • Filed Quiet-Report
  2. Protection:
    • Installed uBlock Origin
    • Updated browser extensions
    • Enabled enhanced protection in Chrome

Impact Assessment

Time Lost: 45 minutes (recovery + reporting) System Integrity: Verified clean (no malware) Data Security: No data compromised Financial Risk: $0 (didn't call number)

What Happens If You Call

Based on other reports:

  1. Remote access installation
  2. Fake virus "discovery"
  3. Pressure to pay $299-499
  4. Possible real malware installation
  5. Credit card information theft

Prevention Recommendations

  1. Use ad blocker with malware protection
  2. Never call numbers from pop-ups
  3. Task Manager can always close browsers
  4. Legitimate antivirus doesn't work this way
  5. Keep browser and extensions updated

Evidence Provided

🖼️
screenshots.zip
Click to view
📄
malware-analysis.txt
Click to view
📄
browser-logs.json
Click to view

Resolution

Type:

WARNING

Description:

Compromised site cleaned, malicious domain blocked

Outcome:

Ad network removed malicious advertiser

Tags

#Malware#Browser#Pop-up#Fake Antivirus#Tech Support

Reporter Information

Status:Anonymous
Reports Filed:12
Success Rate:85%

Similar Reports

HTech Support

Fake Tech Support: Remote Access Scam

MSMS

Fake Delivery Text with Malware Link

⚠️ Safety Tips

  • Never share personal information with unknown parties
  • Verify company credentials before making payments
  • Use secure payment methods with buyer protection
  • Report suspicious activity immediately

Experienced Similar?

Help protect others by reporting your experience