The notorious global tech support scam campaign, WoofLocker, has continued its operations, demonstrating adaptability and tenacity despite being exposed three years back.
The campaign, originally uncovered in 2020, has managed to withstand attempts at shutdown and still operates with increased robustness, according to a recent report by Malwarebytes.
WoofLocker, characterised by its complex traffic reduction scheme, began deploying its infrastructure as early as 2017, laying the foundation for a persistent and evolving threat. Fast forward to 2023, the campaign maintains its traction, utilising familiar tactics and techniques while bolstering its defences against potential takedowns.
An integral part of the campaign’s success is attributed to its elaborate redirection mechanism, which remains challenging to reproduce and study even after years of scrutiny. With new fingerprinting checks, recreating the redirection process proves even more daunting. Researchers, however, have pieced together valuable insights by connecting past indicators of compromise, shredding light on WoofLocker’s modus operandi.
Victims of the scam who call the provided phone number are redirected to call centres, presumably located in South Asian countries, further highlighting the global nature of this cyber operation.
Despite years of investigation, the individuals or groups behind WoofLocker remain elusive. There are indicators that different threat actors with specialised expertise might be involved, possibly indicating a professional toolkit tailored for advanced web traffic manipulation.
WoofLocker’s distribution method sets it apart from other tech support scams, primarily leveraging a limited number of compromised websites. These sites cater to two distinct categories: adult and non-adult traffic. The differentiation is evident in the unique redirection URLs created for victims.
The campaign’s fingerprinting process, aimed at filtering traffic, has become increasingly sophisticated, rendering it difficult to bypass. Integrating steganography and stringent checks for virtual machines, browser extensions, and security tools ensures that only genuine residential IP addresses are considered.
Despite the industry’s efforts to curb its influence, the campaign has managed to endure, honing its efficiency and evading suppression. As such campaigns continue to harass the vulnerable, it is paramount to remain vigilant of such scams and only go for authorised support teams.