Fake pharmaceutical web services are always looking for new methods like Twitter warnings to trick unsuspecting users. They’ve since have adopted a clever new technique: modified goodbye messages that pop up whenever a user tries to close the window/tab.
We’ve all seen these dialog boxes before. They usually display whenever we attempt to navigate away from a site when we’re in the middle of interacting with content, like writing a post or downloading a file.
One type is known as “beforeunload.” This site goes into some detail about what the script is all about:
beforeunloadevent is fired when the window, the document and its resources are about to be unloaded. When a non-empty string is assigned to the returnValue Event property, a dialog box appears, asking the users for confirmation to leave the page (see example below). When no value is provided, the event is processed silently.”
Essentially, whenever a user tries to close out a tab or window, they trigger the “beforeunload.” That script then checks to see if anything needs to happen before the tab or window closes. Specifically, it looks to see if any function has been defined for “onbeforeunload” in the code, as is represented here:
window.onbeforeunload = function().
Now fake pharma sites are abusing that feature to display parting messages whenever a user attempts to navigate away from their pages:
Pieter Arntz of Malwarebytes found most of these customized goodbye messages in Edge and Internet Explorer, whereas most other browsers simply displayed the standard “Stay or Leave” text.
Weigh those options carefully, and make sure you avoid visiting fake pharma websites by not clicking on suspicious links found on Skype, social media, and web forums.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.