'Google Security Warning' Scam
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 11,370 |
| Threat Level: | 20 % (Normal) |
| Infected Computers: | 2,828 |
| First Seen: | August 18, 2017 |
| Last Seen: | January 19, 2026 |
| OS(es) Affected: | Windows |
The 'Google Security Warning' scam revolves around the legitimate warnings shown to Google Chrome users when corrupted and untrusted sites are loaded in the browser. Con artists work with Web developers to publish pages that generate fake 'Google Security Warning' pop-ups and aim to direct the user to call a toll-free number and get help. However, the phone lines listed on the 'Google Security Warning' notifications are not operated by certified computer experts. In many cases, the variations of the 'Google Security Warning' scam are run by illicit companies in India that attempt to take advantage of inexperienced users who stumble upon the 'Google Security Warning' notifications. The Web pages that generate the fake 'Google Security Warning' messages feature a code dubbed 'a pop-up loop' that instructs the browser to keep the 'Google Security Warning' pop-up on the screen and prevent the user from leaving and switching tabs. That way, some users may believe the 'Google Security Warning' messages, which read:
'Firewall detecting "suspicious" incoming network connections, we
recommend that you click on "Back to Safety"
Your computer is blocked!
Call now 1800-239-102
Your computer with the IP address [YOUR IP] has been infected by the Trojans Because System Activation KEY
has expired & Your information (for example, passwords, messages, and credit cards) have been stolen. Call the
Windows Help Desk 1800-239-102 to protect your files and identity from further damage.
call Now: 1800-239-102'
Consequently, a call to 800-239-102, and other numbers advertised that way, would connect you to a con artist who will try to sell you a "Premium Technical Support" plan. Before you get to the marketing pitch, the con will try to connect to your machine using a remote desktop tool under the pretext that he/she needs to assess the situation on your end. If you grant remote access, the con artists are very likely to open the SysKey utility on Windows, lock your account and claim that you need to pay a few hundred dollars to have the system unlocked. The technical support agent would make excuses and say that a virus has locked you out, which can be removed with help from an expert that happens to be on your phone right now. Cyber security researchers recommend users surf the Internet using a trusted browser that has the latest updates to minimize the chances of opening a phishing page. AV engines that scan scripts on Web pages may bring up the following detection names in a warning box when you load the 'Google Security Warning' pop-ups:
- Ransom:JS/TechBrolo.A
- SupportScam:JS/TechBrolo.A
- SupportScam:MSIL/Hicurdismos.A
- Suspicious_GEN.F47V0429
- Trojan.FakeAlert!8.56B (topis)
- Trojan/Generic.ASVCS3S.448
- Win32.Trojan.Rassmd.Auto
Table of Contents
Analysis Report
General information
| Family Name: | Adware.Istbar.A |
|---|---|
| Packers: | UPX |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
084f70735572dc30fd92bab9ceba8847
SHA1:
62c67c4a71bc0bb70131779912f284437586e75c
SHA256:
B9E8345887742480F741B5B234E8AD4811A5105CB1523FF0029DD5545DF4577B
File Size:
27.66 KB, 27659 bytes
|
|
MD5:
445010ea057dd2236b02a8a842573410
SHA1:
0aa4503c13b6e89c8052cd6d93969cffb16a4549
SHA256:
EC001B37E2BC2FC2393EA965F358E0ADAC0524895C0F4411F3D956087CBFFE88
File Size:
95.75 KB, 95755 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- .UPX
- 2+ executable sections
- HighEntropy
- packed
- upx
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 222 |
|---|---|
| Potentially Malicious Blocks: | 39 |
| Whitelisted Blocks: | 169 |
| Unknown Blocks: | 14 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Istbar.A
