'ISP Critical Alert' Pop-Ups

The 'ISP Critical Alert' pop-ups are technical support tactics that claim that your computer is under attack by spyware, such as a banking Trojan, or another account-compromising threat. These attacks use publicly-accessible information about their victims for displaying customized pop-up backgrounds, including references to the user's Internet Service Provider. Avoid all contact with the hotlines that this threat promotes, and have your anti-malware products remove the 'ISP Critical Alert' pop-ups by deleting any temporary browser files associated with them.

A Script-Heavy Tactic for Your Web Browser

Fake security warnings and associated technical support hoaxes come in many varieties, but a new campaign is proving itself more in-depth than most of its competing threats. At the start of 2018, Microsoft took notice of a series of the 'ISP Critical Alert' pop-ups harming Windows users. Malware experts can confirm the campaign as being in the wild and capable of running both two attacks simultaneously, only one of which requires any input from the victim for causing further harm.

The 'ISP Critical Alert' pop-ups are almost entirely browser-based and may run themselves in Firefox, Chrome, IE, and other Web-browsing applications. After the website hosting their scripts begins loading, the threat harvests publicly-available information regarding the user's IP address, ISP and related statistics. Then, it retrieves and loads a pop-up with custom content related to that information, such as tailoring the warning for referencing the Cox or Spectrum Internet Service Providers. Malware experts also note that any failures in the data-retrieving operation cause the 'ISP Critical Alert' Pop-Ups to revert to their default 'Windows Firewall' format.

The above misleadingly warns the user about a fake spyware infection and asks them to call a technical support number for further help. However, simultaneously, the 'ISP Critical Alert' pop-ups also run additional scripts that load CoinHive, a browser-based cryptocurrency miner. This feature creates profit through hijacking the system's resources via their browser without installing anything or requiring the Web surfer's permission.

Getting Critical about ISP Alert

Although in many ways, the 'ISP Critical Alert' pop-ups are some of the most detail-oriented, technical support hoaxes that malware experts can find, they also include some of the telltale signs of fraudulence. Some versions of the 'ISP Critical Alert' Pop-Ups include typos (such as misspelling 'critical' as 'critcal') and, usually, will borrow the wording of a spyware warning that readers may recognize from similar campaigns. All users also should remember that Internet Service Providers and Microsoft don't deliver requests for contacting a phone number after detecting spyware, or other, threatening software, on your computer, not via the user's Web browser particularly.

The threat actors running the 'ISP Critical Alert' pop-ups are, like most con artists with similar strategies, trying to gain remote access to the PCs of any victims. With remote control over your computer, they may, ironically, collect information or install software that could harm your security or privacy. Malware experts encourage disabling your Internet connection while using security software for removing the 'ISP Critical Alert' pop-ups and related threats, when appropriate.

This campaign isn't the only example of a dual-sided campaign using both a tactic and a secondary attack, like CoinHive, against its victims. However, the 'ISP Critical Alert' pop-ups provide a good look at how the cybercrooks may engineer their misdeeds for the future evolution of old ideas socially.