How to Defend Against WoofLocker Scam?
Back in the early days of tech scams, scammers used tricks to show up on places like YouTube and get people’s attention. Then, they’d have their team answer calls from the folks they tricked. In January 2020, we talked about a big scam named WoofLocker, which turned out to be quite a puzzle. This scam had a complicated way of fooling people online, and it had been going on since 2017, even before we told everyone about it. Even though we exposed the WoofLocker scam, it hasn’t stopped. It’s still around, causing trouble and showing it’s not giving up easily.
Fast forward to 2023, and the WoofLocker scam persists, seemingly unfazed by the passage of three more years. While the tactics remain strikingly similar, the infrastructure has toughened up to fend off takedown attempts. This evolution could be attributed to collaborative efforts with web hosting and registrar companies, which briefly halted the operation’s momentum.
Understanding the intricate redirection mechanism remains a challenge, especially with the introduction of new fingerprinting checks. By connecting the dots from past compromises, we’ve gained insights into the initial WoofLocker setup and its current state.
Though the orchestrator’s identity remains elusive, it’s plausible that different specialized threat actors are involved. WoofLocker might be a custom toolkit catering to advanced web traffic manipulation, potentially serving a sole client. The victims who fall for the scam are redirected to call centers, likely located in South Asian regions.
Summing up our latest findings, this blog post provides crucial compromise indicators for the security community’s benefit.
Fingerprinting
In the fingerprint mechanism, there were a few additions though, such as the check for specific Chrome extensions (GeoEdge, Kaspersky, McAfee). There also seems to be some kind of proxy detection, or perhaps detection specific to web debugging tools like Fiddler. This makes it much harder for security researchers to get a traffic capture as evidence of malfeasance.
To filter traffic, the campaign’s fingerprinting process has grown increasingly sophisticated, making it harder to avoid. Only genuine residential IP addresses are considered by integrating steganography and rigorous checks on virtual machines, browser extensions, and security tools.
URL redirection
In the end, we were able to identify the redirection URL by replaying and debugging:
Conclusion
As a result, the WoofLocker scam has survived the years, adapting to challenges and evading takedowns, despite exposure and efforts to curb its activities. The evolution of its tactics and robust infrastructure reflects the persistent ingenuity of the threat actors behind it. To dissect and counter WoofLocker, security researchers will need to use complex fingerprinting mechanisms and sophisticated URL redirection tactics. The scam persists and evolves, making it more important for the security community to collaborate and develop effective countermeasures to prevent potential victims from falling victim.
