Nasty New Scam Hijacks Your Mouse Cursor

Editor
Updated

Shady websites that won't let you close your browser window until you play along with a tech-support scam have been around for several years. But a new variant not only locks your browser, but if you're running the latest version of Google Chrome, will also hide your mouse cursor and show you a fake cursor so that you can't even click to a different application.

Credit: energepic.comCredit: energepic.com

In order to escape the locked browser/disable cursor trap, try using keyboard commands. You can normally shut down individual browser windows by pressing Ctrl + W in Windows or Command + W on a Mac. If that doesn't work, Alt + F4 in Windows and Command + Option + Shift + Esc on a Mac will shut down the entire browser.

Beyond that, try the ol' Windows three-finger salute to bring up the Task Manager: Ctrl + Alt + Del. If you absolutely must, give your computer the cold boot by unplugging it or taking out the battery; anything is better than having to call one of these phony tech-support-scam lines. You might consider running an antivirus scan after you close the browser window, just to be safe.

MORE: Best Antivirus Software and Apps

This new twist on an old scam was found by researchers at Malwarebytes Labs, who posted their report on the company's official blog yesterday (Sept. 13).

The tech-support-scam group. dubbed Partnerstroka by the researchers, have a pretty intricate modus operandi. They've created at least 16,000 domains through cheap domain registrars and phony Gmail accounts. Some of the sites are benign, some of them are decoys, but the end result is always to direct certain users to malicious web pages.

If you're running Edge, Internet Explorer or Firefox on Windows, the malicious page tells you your machine is infected and you should call a toll-free number for help. It also asks you for your computer username and password in an endless loop, but you can still move your mouse around.

If you're running an older version of Chrome on Windows, you get the same sort of "infection" message, but no password demand.

If you're running Safari or older Chrome on Mac, a print box pops up with the tech-support message visible on the document to be printed.

But if you're running Chrome 69, released last week, things get weird. The location of the onscreen cursor seems to change, and mouse clicks seem to be unresponsive.

How the scam works

First, Partnerstroka directs you to compromised websites through malicious advertisements, aka malvertising. Many of these ads lead to useless-but-benign sites offering bogus travel packages or song downloads. Some of them, though, redirect to malicious sites. Partnerstroka also created a bunch of phony Blogger pages in order to redirect unsuspecting users to the malicious sites.

Once you reach a malicious site, the site implores you to call phony tech-support numbers or input your credentials. The sites themselves don't spread malware or force you to do anything, but flashing error messages and alert sounds might convince you that something really is wrong.

The twist comes on Chrome 69 when you try to click on the "X" button for either the tab or the browser. No matter how much you click, nothing happens.

This is because the page is pulling a very simple but clever visual trick. It uses JavaScript to change the appearance of the cursor to an invisible box 128 pixels wide by 128 pixels tall, with a fake low-resolution cursor arrow visible in the top right corner.

You won't see the cursor show up where you intend to click, but you will see the fake cursor at a bit of a distance from that spot, and you'll think it's yours. When you try to click on an X or close a dialogue box, you'll be clicking on useless, empty space an inch or two below your target.

This may be a neat trick, but it doesn't change anything else about the scam. It's still easy to close your browser with a keyboard shortcut, and the compromised pages don't have the power to spread malware without user input.

It's unclear whether anyone has actually fallen for the ruse, but Malwarebytes believes that "the same scare tactics [have] been used for ages, and still work well."