In a blog post by Siddhesh Chandrayan, threat analysis engineer at Symantec, tech-support scammers are using obfuscation scripts when displaying scam websites to avoid detection by security software.
Such techniques include Base64 encoding, custom obfuscation routines, and AES encryption.
Chandrayan quoted as an example a scam observed earlier this month. The scam was in Italian. This one in particular informs the victim that their computer has been blocked due to "display and dissemination of materials prohibited by Italian law" such as adult content. It also informs the victim that to unblock their computer, they must pay an "administrative penalty" of €500 with an iTunes Gift Card.
"Such tactics are designed to incite worry among victims and get them to pay," he said.
He added that the source code reveals a large chunk of obfuscated content. This content, which looks like just a long line of numbers and letters, is fed into another script that is decoded using the function "atob" and written on the browser.
"After decoding the base64 content, I was able to see a few of the strings which the scam displays to the victim," he said. After that more obfuscated code and decryption routines were used. The code also loads a CryptoJS library is widely used for AES obfuscation and deobfuscation.
"This indicates the scam uses AES as its second-level obfuscation technique. Decoding the AES obfuscated content reveals the final layer of the scam with almost no obfuscation being used," said Chandrayan.
"While code obfuscation has been used in scams for a while now, the use of multiple-level encoding is not common," Chandrayan said.
"The scam typically forces string-based detection engines to focus detection on strings of random numbers or characters as described above, which, in most scenarios, is highly prone to false positives. Thus, it can be said that this scam uses living off the land encoding techniques to sneak through antivirus engines and avoid detection."
Gavin Millard, VP of intelligence at Tenable, told SC Media UK that this type of scam has existed for many years and, unfortunately, can often entrap victims who unwittingly put the organisations security posture at risk.
"Employee awareness training programmes will educate users of the risks within their mailbox, and can help reduce the threat. However, with scammers increasingly honing their craft to create near perfect communications, it is getting trickier to spot fact from fiction meaning even the most savvy individuals can be spoofed," he said.
"Duping the user is the first stage of this threat and focusing efforts on making sure the following stages are nullified is where effective focus should be placed. In nearly all cases, threat actors will gain limited access through compromised credentials. From this point they then need to work to elevate their access and infiltrate the network. In nearly all cases they will do this from a known vulnerability for which, in all probability, a patch is available.
"Until organisations start finding and closing these often targeted flaws, threat actors will continue to target end-users and persuade them to click the links to exploit them."