Fake pharmacy sites gets crafty with modified goodbye messages

“Are you sure you don’t want to fall for a scam?”

David bisson
David Bisson

Fake pharmacy sites gets crafty with modified goodbye messages

Fake pharmaceutical web services are always looking for new methods like Twitter warnings to trick unsuspecting users. They’ve since have adopted a clever new technique: modified goodbye messages that pop up whenever a user tries to close the window/tab.

We’ve all seen these dialog boxes before. They usually display whenever we attempt to navigate away from a site when we’re in the middle of interacting with content, like writing a post or downloading a file.


Sign up to our free newsletter.
Security news, advice, and tips.

Those boxes usually pop up as the result of JavaScript code, scripts which come in several forms.

One type is known as “beforeunload.” This site goes into some detail about what the script is all about:

“The beforeunload event is fired when the window, the document and its resources are about to be unloaded. When a non-empty string is assigned to the returnValue Event property, a dialog box appears, asking the users for confirmation to leave the page (see example below). When no value is provided, the event is processed silently.”

Essentially, whenever a user tries to close out a tab or window, they trigger the “beforeunload.” That script then checks to see if anything needs to happen before the tab or window closes. Specifically, it looks to see if any function has been defined for “onbeforeunload” in the code, as is represented here: window.onbeforeunload = function().

Now fake pharma sites are abusing that feature to display parting messages whenever a user attempts to navigate away from their pages:

Source: Malwarebytes

Pieter Arntz of Malwarebytes found most of these customized goodbye messages in Edge and Internet Explorer, whereas most other browsers simply displayed the standard “Stay or Leave” text.

To avoid coming across those messages, Arntz says users can disable JavaScript. But he’s careful to point out that doing so would be a double-edged sword:

“Disabling JavaScript in your browser prevents this from happening, but you should realize that it does that in cases where you might have found it useful as well. It comes highly recommended though, especially for the browser that you generally use for surfing the Web.”

Weigh those options carefully, and make sure you avoid visiting fake pharma websites by not clicking on suspicious links found on Skype, social media, and web forums.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Fake pharmacy sites gets crafty with modified goodbye messages”

  1. for sure !Harry

    I remember this being used on early Rick'roll sites, you'd have to get through a hundred customised 'Are you sure?' alerts before you could exit, all the while with the delights of Rick Astley blaring out of your speakers

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.