Microsoft Spoof Infection From Facebook Link

My setup:

Windows 10 Home 1607 x64 - Firefox ESR 45.4.0 - OpenDNS with Security options On - Avast free - Malwarebytes anti-malware premium - Malwarebytes anti-exploit​

While browsing Facebook, I clicked on a link about the passing of Jane Fonda, which triggered a couple of center page popups and an audio which alerted that Windows had detected an infection that could be sending out personal information. I don't remember all of the specifics.

The audio instructs to call Microsoft at the number provided to be walked through the fix or repair or whatever.
It goes on to say that if the message is closed before making the call, Microsoft will be forced to "disable your computer".

I did not listen to the whole message.

All attempts to close or cancel the dialog box fail. The browser tab could not be closed. I closed the browser.

When I checked the browser history, after reboot, there was a very long list of entries beginning with the following, all named Microsoft Official Support:



It continued on like this for a little more than one minute. There were several HUNDRED of these in the browser history, with each one incremented in the same manner from the previous address.

After a restart, I ran a full scan with Malwarebytes anti-malware, Avast and Adwcleaner.
AdwCleaner tagged a single line in Firefox prefs.js related to a SpeedDial link to a ghacks.net article:
http://www.ghacks.net/2012/02/02/why-i-switched-to-the-duck-duck-go-search-engine/
This is a legitimate link. Everything else was clean.

So, what do you make of this (attempted) attack?
I have never encountered anything like this from a Facebook link. I'm very disappointed, to say the least.

Any suggestions about what I should do next?
Thanks!

 

It's help from the trained experts in the Malware Removal Forum that you need rather than here. They need you to complete the steps in their Read & Run Me First Guide first, start a new thread there with the logs, and they will advise you further.

 

I've just made contact with the person that deals with malware site blocking in MBAM Premium and hpHosts, that site should be blocked soon by MBAM Prem.

If you create a Topic on the Malwarebytes forum with any details/logs you can give, it'll enable them to work out what's needed to detect/neutralise and block this.

 

Thanks, satrow. Posted the same info. I gave here.

 

I see the topic

I've also logged it at the hpHosts forum, so it'll be included in an update shortly for both MBAM and hpHosts.

As an aside, Malwarebytes have just announced they've acquired AdwCleaner: https://press.malwarebytes.com/2016/10/19/malwarebytes-acquires-adwcleaner/

 

Got a reply at Malwarebytes forum with several .WMV example scams.

The one I stumbled on was similar to this:
http://multi-av.thespykiller.co.uk/other/MalwareScam-5.wmv

I saw the same photo/link on Facebook and tried it again, opening a new tab.
The only thing displayed was a message at the top of the page, probably produced by the NoScript add-on.



edit: have enlarged the picture twice, but still shows too small! :-(

 

It's readable filtered by ABE: https://noscript.net/abe/ Probably a good idea to post that on the MBAM site, the other links might be useful to them.

So, has NoScript updated in the last day, if not, this latest one probably points to something different, thus no trigger yesterday but picked up today.

Have you checked that MBAM has updated today (hpHosts has)?

 

I know next to nothing about NoScript and don't know where to look to check definition/database updates.
I use only limited protection with NoScript, i.e. scripts allowed.

I have MBAM scheduled for automatic updates every 4 hours. The database is updated frequently.
Judging from the database version numbers, it's updated more than 6 times a day.

This was a lesson in risky or dubious links. Seems that that many of those side panel links in Facebook are bogus.
They are not part of the suggested related material in the Timeline. The titles and photos are misleading.

 

NoScript should auto-update as Firefox starts up, iirc. Check in the Tools > Add-ons section, there should be some kid of Control Panel for it.

Yes, FB can be a pain, most of the potential problems, I'm told, can be alleviated by stricter control from your profile.