Short Summary

The WoofLocker tech support scam campaign, initially discovered in January 2020, employs an intricate traffic redirection system, with a significant upgrade in infrastructure over the years to counter takedown efforts. Despite limited knowledge about its origin, the scheme uses a highly obfuscated code, steganography, and advanced fingerprinting techniques to redirect victims to fake support centers. The campaign’s stability and complex infrastructure set it apart, and it primarily targets limited compromised websites using Javascript for distribution.

Long Summary

Introduction:

The blog post discusses the WoofLocker tech support scam campaign, initially reported in January 2020, which utilizes an intricate traffic redirection system. It details how the campaign has evolved over time and its tactics, along with insights into its infrastructure.

Campaign Evolution:

  • WoofLocker campaign was first identified in January 2020, featuring a highly complex traffic redirection scheme.
  • The threat actor began deploying infrastructure as early as 2017, becoming increasingly robust to counter takedown efforts.
  • As of 2023, the campaign remains active with similar tactics and techniques, potentially adapting in response to security efforts.

Redirection Mechanism and Challenges:

  • Reproducing and studying the redirection mechanism remains challenging due to its complexity and the addition of new fingerprinting checks.

Possible Threat Actor Diversity:

  • The campaign’s origin remains uncertain, suggesting involvement of different threat actors specializing in various areas.
  • WoofLocker might function as a professional toolkit designed for advanced web traffic filtering, possibly catering to a single customer.
  • Scam victims are redirected to call centers, likely located in South Asian countries, after falling for the scheme.

Overview of Distribution and Techniques:

  • WoofLocker is distinct from other tech support scams as it’s distributed via compromised websites, rather than relying on malvertising.
  • The threat actor targets two types of traffic: non-adult and adult, distinguished by unique redirection URLs.
  • Malicious JavaScript is embedded in compromised sites, using obfuscation and steganography (data in images) for code delivery.

Fingerprinting and Redirection:

  • Victims visiting compromised sites undergo fingerprinting to validate their legitimacy.
  • Fingerprinting checks include identifying virtual machines, certain browser extensions, and security tools.
  • WoofLocker sends victim data back to the server as a hidden PNG image, leading to potential redirection, or no further action.

URL Redirection and Web Traffic:

  • The redirection URL is generated on the fly, with a unique ID only valid for this specific session.
  • The browser reads the response, executing JavaScript code hidden in images.
  • Traffic capture reveals the sequential steps: fingerprinting checks, validation of user data, and creation of a unique ID (uid) for redirection.

Infrastructure Changes:

  • WoofLocker’s infrastructure evolved significantly since the initial discovery.
  • The threat actors shifted to hosting providers that offer better protection against takedowns.
  • ASNs (Autonomous System Numbers) are located in Bulgaria and Ukraine.

Conclusion and Detection:

  • WoofLocker most likely serves as an advanced toolkit, primarily designed for a single customer.
  • The campaign has operated as a stable and low-maintenance business for six years.
  • Unlike other campaigns, WoofLocker leverages compromised sites and robust infrastructure to maintain its operations.