News

Cybersecurity researchers have uncovered an updated version of a sophisticated fingerprinting and redirection toolkit known as WoofLocker. The toolkit, initially detected by Malwarebytes in January 2020, is designed to facilitate tech support scams.
WoofLocker employs a complex traffic redirection scheme that involves JavaScript embedded in compromised websites. These JavaScript codes perform anti-bot and web traffic filtering checks, redirecting users to a browser locker (browlock). The redirection mechanism utilizes steganographic techniques, concealing the JavaScript code within a PNG image. The image is served only when the validation phase is successful. If a user is identified as a bot or uninteresting traffic, a decoy PNG file without malicious code is used. This version of WoofLocker is also referred to as 404Browlock, as attempting to visit the browlock URL directly without appropriate redirection or a one-time session token results in a 404 error page.
Malwarebytes’ recent analysis indicates that the WoofLocker campaign is still active, with the cybersecurity firm explaining that the campaign’s infrastructure has become more robust to counter takedown efforts.
WoofLocker predominantly targets adult websites and utilizes hosting providers in Bulgaria and Ukraine to provide stronger protection against takedowns.
The primary objective of browser lockers like WoofLocker is to manipulate targeted victims into seeking assistance for nonexistent computer issues. The perpetrators then gain remote control over the victim’s computer to produce an invoice recommending a security solution to address the fabricated problem. In this scheme, the fraudsters earn money for each successful lead through third-party fraudulent call centers.
The true identity of the threat actor behind WoofLocker remains unknown. However, evidence suggests that preparations for the campaign may have started as early as 2017. Unlike other campaigns that rely on purchasing ads and constantly evading hosting providers and registrars, WoofLocker is described as a stable and low-maintenance business. The compromised websites hosting the malicious code have remained compromised for years, while the fingerprinting and browser locker infrastructure appears to be using reliable hosting providers and registrars.
Malwarebytes also revealed a new malvertising infection chain that involves using deceptive ads on search engines. These ads target users searching for remote access programs and scanners, leading them to infected websites that distribute stealer malware.
What distinguishes this campaign is its capability to gather visitor fingerprints using the WEBGL_debug_renderer_info API, which collects the victim’s graphics driver properties. This information is used to distinguish real browsers from crawlers and virtual machines, allowing the threat actors to determine the subsequent steps. By employing better filtering methods, attackers ensure that their malicious ads and infrastructure remain online for longer periods, hampering detection and takedown efforts.
This disclosure follows recent research highlighting the hijacking of websites belonging to U.S. government agencies, leading universities, and professional organizations over the past five years. These compromised websites have been used to promote scam offers and deceive children into downloading apps, malware, or sharing personal details in return for nonexistent rewards in popular online gaming platforms such as Fortnite and Roblox.

The post WoofLocker: Advanced Fingerprinting and Redirection Toolkit Facilitates Tech Support Scams appeared first on satProviders.