Tech Support Scam Leverages Two-Year-Old Chrome Bug to Hang Browsers, Freeze PCs

Tech support scammers have weaponized a Chrome bug that has been reported in July 2014, but which Google engineers have yet to fix.

Discovered in Google Chrome 35, the problem is described as a "hang bug in history.pushState()," which is a method introduced with the HTML5 specification that allows developers to push URLs to a browser session's history.

A web developer discovered that someone could push thousands, and even millions, of items to the browser session history. This didn't crash the browser, but froze Chrome on most devices, and even caused the entire OS to slow down because Chrome was gobbling up most of the computer's available memory and CPU resources.

The Google team was quick to analyze the issue, but classified it as a low-level DoS (Denial of Service) attack and delayed a fix in order to deal with more urgent matters.

More than two years later, some tech support scammer came across the unresolved bug, which also contained fully-working proof-of-concept (PoC) code to reproduce the hang state. Lo' and behold, there's now a tech support scammer group using this trick.

Discovered by security researcher slipstream/RoL and first broken down by the Malwarebytes team, the tech support page's source code features a jQuery version of the bug's JavaScript PoC code.

A fully-working version of this tech support scam is currently located at perfecthosting[.]co/alert/

The bug will trigger after you select "Prevent this page from creating additional dialogs," and will trigger the hang state.

To dismiss the message, just open the Task Manager and terminate the Chrome process. If you're on an older system and the bug causes the entire OS to crash, you'll have to perform a hard reboot.

If Chrome is configured to start where you left off, the page with the Tech Support Scam could possibly reopen again putting you in a vicious cycle. To prevent this you can go to the following folder and delete the "Current Session" file.

C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Default

Once the Current Session file is removed, Chrome will not prompt you to recover the previously open Windows and you wont have to worry about the scam site opening again.

UPDATE - Shortly after this article's publication, security researcher JAMESWT has contacted the tech support scam's hosting provider, who removed the page soon after.