Skip to content

WoofLocker scam persists despite ongoing efforts to curb it

  • by
  • 3 min read

The notorious global tech support scam campaign, WoofLocker, has continued its operations, demonstrating adaptability and tenacity despite being exposed three years back.

The campaign, originally uncovered in 2020, has managed to withstand attempts at shutdown and still operates with increased robustness, according to a recent report by Malwarebytes.

WoofLocker, characterised by its complex traffic reduction scheme, began deploying its infrastructure as early as 2017, laying the foundation for a persistent and evolving threat. Fast forward to 2023, the campaign maintains its traction, utilising familiar tactics and techniques while bolstering its defences against potential takedowns.

WoofLocker attack method diagram. | Source: Malwarebytes

An integral part of the campaign’s success is attributed to its elaborate redirection mechanism, which remains challenging to reproduce and study even after years of scrutiny. With new fingerprinting checks, recreating the redirection process proves even more daunting. Researchers, however, have pieced together valuable insights by connecting past indicators of compromise, shredding light on WoofLocker’s modus operandi.

The campaign’s dynamic and sophisticated redirection URLs, coupled with its usage of malicious JavaScript embedded in compromised websites, underscore its technical prowess. The code is highly obfuscated and employs steganography, concealing data within images.

Victims of the scam who call the provided phone number are redirected to call centres, presumably located in South Asian countries, further highlighting the global nature of this cyber operation.

WoofLocker code injection into compromised websites. | Source: Malwarebytes

Despite years of investigation, the individuals or groups behind WoofLocker remain elusive. There are indicators that different threat actors with specialised expertise might be involved, possibly indicating a professional toolkit tailored for advanced web traffic manipulation.

WoofLocker’s distribution method sets it apart from other tech support scams, primarily leveraging a limited number of compromised websites. These sites cater to two distinct categories: adult and non-adult traffic. The differentiation is evident in the unique redirection URLs created for victims.

The campaign’s fingerprinting process, aimed at filtering traffic, has become increasingly sophisticated, rendering it difficult to bypass. Integrating steganography and stringent checks for virtual machines, browser extensions, and security tools ensures that only genuine residential IP addresses are considered.

Despite the industry’s efforts to curb its influence, the campaign has managed to endure, honing its efficiency and evading suppression. As such campaigns continue to harass the vulnerable, it is paramount to remain vigilant of such scams and only go for authorised support teams.

In the News: Undisclosed AI content raises concerns in academic publishing

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>