Scammers Are Actively Exploiting A Firefox Bug

Long-time Slashdot reader slack_justyb shares this story from Ars Technica: Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked... The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled...

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the Firefox bug is being exploited by several sites... On Monday, Segura reported the bug to the Bugzilla forum. He said he has since received word Mozilla is actively working on a fix. In a statement sent seven hours after this post went live, a Mozilla representative wrote: "We are working on a fix to the authentication prompt bug that we expect to land in the next couple of releases (either in Firefox 71 or 72)."

It's not Firefox that scammers are exploiting

[Rosco P. Coltrane]

it's people's credulity. This is classic phishing, not really a technical scam: it requires the user to be stupid enough to believe in what's written in the popup. And quite frankly, in 2019, if someone calls a number in a popup and gives money, they deserve to be scammed.

Re:

[Locke2005]

This used to happen in Chrome too. I had to teach my ex and her daughter how to kill tasks using Task Manager after those idiots actually CALLED THE NUMBER, then called my on another phone while the people with heavy Indian accents were demanding her credit card number...

Re:

[Rick Schumann]

Yeah, that was my first thought: ctrl-alt-del, task manager, kill Firefox, think "huh, that was weird" and move on. Happens again? "huh, must be that site" and don't go there again. So glad I'm on Ubuntu though. ;-)

Re:

[gweihir]

Indeed. Whenever anybody tries to prevent you from thinking things over, some sort of scam is afoot. Really simple, but quite a few people cannot deal with such a situation.

Re:

[Falconhell]

It’s nothing new for Firefox, used to happen to me occasionally, though not in the last few years. I have used Firefox exclusively since it came out, never noticing the problems some here seem to find with it being slow. It’s always been reasonably fast for me, and there’s no way I would use a Google browser ever.

Re: It's not Firefox that scammers are exploiting

[astrofurter]

You know Mozilla is just the non-profit face of Big Brother Google, right? Their SF office is even inside Google's building.

What's the hold-up?

[drinkypoo]

a Mozilla representative wrote: "We are working on a fix to the authentication prompt bug that we expect to land in the next couple of releases (either in Firefox 71 or 72)."

What could be more important than fixing a DoS bug in a basic browser feature? Tighter Pocket integration?

Re:What's the hold-up?

[Luckyo]

Worth noting that this "feature" has been around for several years at this point. My mother called me about getting this exact problem with firefox over a year ago, and she didn't know what to do about it locking her "internet" down.

I told her to pull the network plug out of the VDSL2 modem sitting next to her, then press ctrl-shift-esc, find firefox, right click on it and select kill process and then press enter. Then start firefox again and close the offending tab and then plug the cable back into the same spot she took it out of.

To my understanding, this is still the easiest method to bypass this problem should you run into it. Mozilla didn't give a single fuck about fixing it back then. I guess the scams got big enough that they can't just look away any longer.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

The "feature" has been around 14 years. Bug ID 1571003 [mozilla.org], which TFS's summary is a duplicate of, gives a good summary of how it came to be and why.

Re:

[Luckyo]

Mod parent up. He did what I was too lazy to do.

See I recalled that when I searched for the bud on the Mozilla bug tracker after solving it for my mom, that it was many years old. However I couldn't off the top of my head remember how old it was when I was typing out the post above, since the event was more than a year ago, so I decided not to speculate. And was too lazy to search for it on Mozilla's bug tracker again.

Thanks for doing the relevant legwork and posting the link to the bug. You're awesome, who

Re:

[slack_justyb]

Mozilla didn't give a single fuck about fixing it back then. I guess the scams got big enough that they can't just look away any longer.

Mozilla has indeed fixed these kinds of issues before, case in point [mozilla.org]. This is a slightly different method that fools the current method that's used for rate limiting by ever so slightly changing the root domain that's requesting the authentication via dynamic subdomain. As you'll note, the issue is already marked FIXED [mozilla.org] and will eventually make it to end users. So yes, yes Mozilla does indeed give a fuck about fixing these issues.

Re:

[Luckyo]

As has been pointed out elsewhere in this thread, this feature has been around for over a decade at this point.

Saying that "oh, Mozilla is now fixing it, some time in the future, so it clearly cares" sounds either really sarcastic, or just bizarre.

Re:

[AHuxley]

Re "A basic browser feature?"
Non academic considerations and the effort put into telling the world about all the new parts of the CoC.
To spread the good news about the CoC is the mission.
The browser is just the method used.

What? No way!

[AndyKron]

Firefox doesn't have bugs. How could it with the never-ending updates? They're simply unintended engineering features.

Who doesn't kill his browser when it locks up?

[BAReFO0t]

Even my completely computer-incompetent girlfriend does this as her first reflex. Even before she knew me.

Although she's running Linux these days as it is easier for her, and the scanner will work without hacks, and she, like all technology-incompetent older people here in Germany, puts privacy and security first, and therefore avoids MS/Apple/Google/Amazon/etc whenever she has a choice.
Plus, it was easier to install than Windows 10.

So it would be hilarious if she got this message. :)

Re: Who doesn't kill his browser when it locks up?

[MakerDusk]

Its a fear response. There is a subset of users who believe they have no right to use the computer because they don't understand it. Even buying the computer was a gamble without basic understanding. In other words they were waiting for the other shoe to drop... so they easily believe the presented lie.

The easier a computer is to use, the more likely this subset is to believe the phishing lie. Rather than realize that the basics are easy, their inequity causes them to tear themselves down: they don't know

Re:

[Rick Schumann]

Microsoft doesn't help because they don't do anything really to empower their end-users, they want them dependent and feeling like they don't actually own the computer they're using, by using authoritarian tactics and treating end-users like little children who need their hand held every step of the way -- and their hand slapped away when they try to do things Microsoft doesn't want them touching.

Re:

[freeze128]

Firefox is still available on Linux. She could still succumb to this attack.

Temporary Solution - Noscript

[burni2]

Don't allow Javascript to every Jo and Sam that comes around.

It's affecting Edge too

[SIGBUS]

My dad just got hit by that one this morning while using Edge. Killing Edge, disconnecting from the network, restarting Edge, and closing out the tabs was the only way out.

It's sheer stupidity that the "restore all tabs" behavior can't be disabled other than by a registry edit.