Scare Message Web Pages

  • 8 September 2017
  • 4 replies
  • 33 views

Badge +1
Twice in two days I've had customers with Webroot installed call because they opened a Web page that displayed some kind of virus alert. Their browsers were locked (unable to be closed normally) but I was able to close them using taskkill. Their computers were otherwise unaffected (as far as I can tell, and I did take time to review them both).
 
Is Webroot supposed to intercept that kind of activity? If so, it didn't work in these two cases, although nothing else malicious ran on them (again, as far as I can tell). Would some forensic information help to defend against this sort of thing? If so, I should be able to collect information from both computers.

4 replies

Userlevel 7
Badge +33
Hey @
 
Webroot is quite aware of this annoyance and is trying to find a way to block them. I've been pretty successful blocking them using the DNS Protection offered by Webroot, or, at the very least, have seen a drastic decline in the number of them across my client endpoints.

The problem being is that these pages are legit pages. Doesn't mean that what the pop up says is legit, but there's no content or scripts being loaded that are malicious in nature where the agent would take action on them. It's only an issue where the uneducated user calls the number or begins clicking on other links contained in that window that they might expose themselves to further risk. 
 
I'd also encourage you to better educate your users and sign yourself up for the Webroot Cyber Security training beta that that they have on the go now. This will allow  you to phish clients and then send them to training sites and courses to take to better educate themselves. 
 
Hope this helps
 
John
Badge +1
I understand that just displaying a scare warning would be viewed as a "legit" Web page. However, the act of seizing control of the browser and preventing it from being closed normally, is not "legit." I'd contend it's something no "legit" Web page ever should do, because "legit" Web pages have no reason to do it.
 
That's a behavior that Webroot should be able to detect and view as malicious ... at least, I hope so. It's a dead giveaway that something's not right.
Userlevel 7
@ tell them they can use an ad-blocker. I used to install it for every single Computer I remoted onto when working in Consumer Technical Support.
 
uBlock (low on memory/performance)
AdBlock
Userlevel 4
@ wrote:
@ tell them they can use an ad-blocker. I used to install it for every single Computer I remoted onto when working in Consumer Technical Support.
 
uBlock (low on memory/performance)
AdBlock
Totally agree with JP... I add uBlock to every client computer that I clean or manage. This cuts down on return calls substantially.

Reply