Fake pharmacy sites gets crafty with modified goodbye messages

Fake pharmaceutical web services are always looking for new methods like Twitter warnings to trick unsuspecting users. They’ve since have adopted a clever new technique: modified goodbye messages that pop up whenever a user tries to close the window/tab.

We’ve all seen these dialog boxes before. They usually display whenever we attempt to navigate away from a site when we’re in the middle of interacting with content, like writing a post or downloading a file.

Those boxes usually pop up as the result of JavaScript code, scripts which come in several forms.

One type is known as “beforeunload.” This site goes into some detail about what the script is all about:

“The beforeunload event is fired when the window, the document and its resources are about to be unloaded. When a non-empty string is assigned to the returnValue Event property, a dialog box appears, asking the users for confirmation to leave the page (see example below). When no value is provided, the event is processed silently.”

Essentially, whenever a user tries to close out a tab or window, they trigger the “beforeunload.” That script then checks to see if anything needs to happen before the tab or window closes. Specifically, it looks to see if any function has been defined for “onbeforeunload” in the code, as is represented here: window.onbeforeunload = function().

Now fake pharma sites are abusing that feature to display parting messages whenever a user attempts to navigate away from their pages:

Pieter Arntz of Malwarebytes found most of these customized goodbye messages in Edge and Internet Explorer, whereas most other browsers simply displayed the standard “Stay or Leave” text.

To avoid coming across those messages, Arntz says users can disable JavaScript. But he’s careful to point out that doing so would be a double-edged sword:

“Disabling JavaScript in your browser prevents this from happening, but you should realize that it does that in cases where you might have found it useful as well. It comes highly recommended though, especially for the browser that you generally use for surfing the Web.”

Weigh those options carefully, and make sure you avoid visiting fake pharma websites by not clicking on suspicious links found on Skype, social media, and web forums.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

David Bisson •   @DMBisson

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.