Google has patched a Chrome bug that was currently being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs.
The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an “evil cursor,” it relied on using a custom image to replace the operating system’s standard mouse cursor graphic.
A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size.
A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box.
The trick was that users would think they’d be clicking where the cursor would appear, but they would actually click in another area of the screen, preventing them from closing popups and browser tabs due to inaccurate clicks. See animated GIF below.
Segura reported this bug to Google last fall, however, patching it wasn’t straightforward.
Browsers support custom mouse cursor images for the sake of web games and to allow browsers to build immersive experiences, so disallowing over-sized cursors wasn’t an ideal solution as it would have negatively impacted thousands of sites, if not more.
Nevertheless, after months of tests, Google engineers came up with a compromise that satisfied both Segura’s security-related concerns and didn’t break existing sites.
According to this bug report, Chrome will automatically revert the mouse cursor back to the standard OS graphics when hovering over parts of the Chrome browser interface (tab bar, address bar, menus, etc.) but will keep the custom cursor when hovering the page content.
This way, users who land on tech support scam sites operated by the Partnerstroka gang –one of the most active groups around today– will be able to leave these sites without getting locked in.
The “evil cursor” fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.
In the grand scheme of things, users might consider this fix trivial, but this is actually a very important fix. Tech support scams are a big problem in today’s cyber-crime scene, and hundreds of thousands of victims have lost billions of US dollars to these crooks.
For example, just one tech support scam site operator arrested earlier this month scammed victims out of $3 million over the course of four years, which is quite a nice profit.
Tech support scammers often use browser bugs to freeze CPUs or lock users inside tabs as a way to trick victims into believing they have a technical problem and call a tech support number.
Fixing these browser bugs is a must, and just one of these fixes can cause huge financial losses to cybercriminal gangs and protect thousands of regular users from getting scammed.