Phishers Deploy New Technique to “Freeze” Victims’ Browsers

Scammers posing as tech support have developed a new attack to hijack Chrome browser sessions. According to a report by Malwarebytes experts, the criminal group known as Partnerstroka is using a technique called the “evil cursor” to take over user sessions.

Through malicious ads on various websites, victims are redirected to fake web pages that “freeze” their browsers. This prevents users from closing the tab or window, switching to another site, or even accessing their desktop—a method known as browlock.

How the Attack Works

Researchers say the browlock technique used by Partnerstroka targets the latest build of Google Chrome (version 69.0.3497.81). In total, they discovered 16,000 domains involved in this campaign.

To freeze the browser, the scammers intercept the mouse cursor. When a user tries to click the button to close the site, they actually end up clicking somewhere else, so the site remains open.

The “evil cursor” technique is based on HTML code that manipulates the mouse cursor at a low resolution. By adding a transparent 128×128 pixel image, the mouse becomes a “large box.” The victim thinks they are clicking a specific spot, but in reality, the click lands elsewhere. Since the user can’t accurately click the close button, they can’t exit the site or browser.

Growing Threat

This technique is gradually being adopted by other criminal groups and is now part of the standard toolkit for online scams.