No doubt the first link is genuine and the second is a scam.

When I posted the link, I broke it up to prevent anyone from going there by accident. The FBI part is just part of the address, not to the real web site, I sent a report to the Real FBI via their Internet Crime Complaint Center (IC3)

I tried the domain only v886341 dot com and that itself showed as a link in your post and led to a scam site. In my case displaying my IP Address and the site mentions Europol

• http://www.theregister.co.uk/2013/01/11/eu_cybercrime_centre/

As per this report almost identical

• http://techfruit.com/2013/12/12/europol-ec3-scam-targeting-unsuspecting-internet-users/

Using the Open New Window item on the Windows 7 Task Bar Jump List for the pinned Firefox icon? That's a nice trick. Certainly easier than typing

firefox.exe "about:blank" 

in the search or run box on the Start menu.

If users do not mind losing the rest of the tabs in their previous session, this might be the easiest way to restart.

I reported to Google, a couple of other sites & filed a Bug.

Bug 953147 - Ransomware locks Firefox tab, uses onbeforeunload and catchControlKey

jscher2000. All they have to do is check their history.

John99. Very nice. BTW, how do I look up a bug report?

Preventative Measure

See /questions/981475#answer-516884 downthread

Using the sample site John99 mentioned, I created a script to defang that page and others that use similar techniques. You can add it to your Bookmarks Toolbar for future use in the unfortunate event that you run into one of these pages. 

http://dev.jeffersonscher.com/bookmarklets.html#escape  
Also see explanation and screenshots  /questions/981475#answer-516977 

Advice on what to do if you get this sort of attack. Speaking from looking at the page I got from the now removed link in the Original post.

BTW the site exists still from the link in the OP it is however not showing in Google searches that I tried.

Here is the fix dead simple solution

• You may want to carefully note the full information in the address bar .

1. Try to close the tab once only
2. You will get a popup use the mouse to select the [Leave Page] button but do NOT left click.
3. Now use the keyboard key [Enter] (or [Return]) after a second or so it should auto repeat hopefully rapidly enough to clear the problem in a few seconds. The rogue tab will then close
4. It may then be a good idea to clear the rogue site from the History. Use the forget option.
   Remove websites from the address bar suggestions_clearing-all-items-for-a-single-site

• Note the rogue site is likely to identify your country and send information appearing to come from your country or a multi country official body. Europol EC3 or FBI for example
• You may wish to copy and paste the address from the location bar. It may be useful if you wish to report the problem. Should you report this on a site replace all dots with the word dot.
  (for instance v88634.com as v886341(dot)com and s845340.com as s845340(dot)com )

For info a current one I see is

http://europol.europe.eu.id974784510-4458260206.s845340.com/?flow_id=8614&414304=33302/case_id=46449  

The site does

• Scare people using some information that looks correct and some that is plausible. Impersonating police or similar sites.
• Appears to lock up the browser
• Demands and presumably collects money with a 12 hr deadline.
• Does do some sort of validity check on the cash voucher

What does NOT work

• Following most of the advice about Malware.
  Because you do not have malware installed on your computer.
• Resetting or re installing Firefox
  Resetting and reinstall normally leave the session store information alone.

What is not worth trying

• Reinstalling the Operating System
  That is overkill
• Blocking the fbi site
  https://www.fbi.gov/ or https://www.fbi.gov/ They are genuine. Firefox may give you a warning, as they have security issues !!
  (A known problem Bug 863517 - https://www.fbi.gov/ has active mixed content (JS and CSS) that are blocked by the mixed content blocker )
  Or the Europol site
• Using the popups and clicking one at a time. The popup floats over your browser and will disappear with each single click. The file I have takes over 70 clicks.

CARE
Some superficially similar warnings may be from malware that does encrypt your files, or otherwise damages your System

• e.g. see http://blogs.technet.com/b/security/archive/2013/11/19/ransomware-is-on-the-rise-especially-in-europe.aspx

I will mark this as the solution to this problem as it will solve the issue.

fredmcd-hotmail, there was no need to add the duplicate information you added in Bug 616853 as the information was already in Bug 953147 for example among other duplicate reports of same or other variations. Keep in mind that whenever somebody posts in a bug the people CC'd essentially get spammed with email reports on these comments and bug changes and this along with the fix it fix it fix it comments in a bug can annoy people (who can fix it) enough to well ignore it and look at other bugs in meantime to spend time on. Comment 30 by Boris Zbarsky (bzbarsky) is a example on the annoyance.

Also note that many of the Mozilla people are on vacation still until January 1st or 2nd or so so do not expect things on this bug to happen as quickly until then earliest.

These locked browser scareware or ransomware sites are not new as some may think as they have been floating around for some months if not (with older variants) for years now since 2009 with them popping up in Canada/USA since 2012 as for example the current RCMP locked browser variation had the real RCMP doing a media advisory back in February. http://www.rcmp-grc.gc.ca/on/news-nouvelles/2013/13-02-18-kitchener-eng.htm

And a older one in July 2012. http://cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=50&languageId=1&contentId=26058

A article with a examples gif on ones from 2012. http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware

edit: tried to add a image but it does not show. edit2: ok now it does.

James my observation is that what may be new
or documented less is this specific type that does not actually use anything other than the web page itself.

None of the recent Firefox sumo threads I just posted in seem to offer suitable instructions for this particular variant, neither does my local Europol EC3 advice or the link you posted http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware.

I had seen the original Bug 616853 myself before filing Bug 953147 but thought this differed enough that it may possibly be considered separately. One of our few forum threads on fbi bugs has in the order of 9k hits, that's moderately high for this forum.

Using the sample site John99 mentioned, I created a script to defang that page and others that use similar techniques. You can add it to your Bookmarks Toolbar for future use in the unfortunate event that you run into one of these pages.

http://dev.jeffersonscher.com/bookmarklets.html#escape

What the script does:

(1) Set various event handlers to null to deactivate them.

(2) Replace the <head> and <body> of the document to remove whatever was there.

Note: You cannot click the bookmarklet button or use any other Firefox features unless you click the Stay on Page button first.

Thanks Jeff.

I did not check this on IE but it is no problem on Google Chrome as it easily closes.

Also not sure about mobile devices.

Your bookmarklet is probably worth mentioning in the bug I filed. Feel free to comment or modify the bug as applicable.

The bookmark is a good idea. But when I got locked, nothing worked. Would I or other users be able to get at the bookmark?

Hi fredmcd-hotmail, the method of operation would be to click the bookmark on the Bookmarks Toolbar. Or alternately you could do it from the Bookmarks menu. The script runs without unloading the page, so it shouldn't be blocked. I tested on the page that John99 mentioned. Obviously there could be scripting traps in other pages that I haven't addressed.

Okay, I wanted to be sure. Thank you.

Here are a couple of screen shots showing what the bookmarklet does, for anyone thinking of installing it.

If you encounter this problem and you do not already have the bookmarklet installed, you should be able to install it by first opening a new tab (Ctrl+t) or new window (Ctrl+n) and going to my bookmarklet page from there. Then go back to the extortion page to clear it out.

If you do not normally display the Bookmarks Toolbar, you can add it to (or move it to) the Bookmarks menu. Hopefully you won't need it very often, or perhaps ever again.

Note: You cannot click the bookmarklet button or use any other Firefox features unless you click the Stay on Page button first.

Jeff

Note my sample blocks use of Ctrl and of the new tab button [+].

However the Firefox Button or Austalis menu options still allow new tabs or windows to be opened.

A recent thread about another similar variation at http://alert. adsprotectpolice .net/ in https://support.mozilla.org/en-US/questions/981996

Edit ~J99
And another possibly similar

• I have a tab that takes over and I cannot successfully click on "Leave Page" Does Mozilla need to hear about this? If so, where? /questions/983346#
• Ransomware: http://vrfhdrt.cyberwarriors-usa.com has blocked Firefox. /questions/983684

So I am having this same problem with my Firefox on my Mac. To start off it seems a bit different from most cases where the pop up is there and wont go away but I can still use the internet instead of it having completely locked it up. Now I was reading things earlier about getting rid of it and the first thing I tried was resetting my firefox. I got to the page, clicked the reset button, it asked if I was sure cause it would delete everything, and I said yes anyway. once I pushed the button, I waited for something to happen, but nothing did. The pages and the scam page stayed up. After this I found this feed and I tried your method but yours of pushing the enter button did not work also. I'm at a loss right now aside from the possibility of just completely trashing the firefox app and downloading it again. Any ideas before I do that?

hello ibrown93, try to press Command-Option-K in order to open the web console, and click on the settings icon on the top left. there click on the checkbox next to disable javascript, which should allow you to leave the page immediately...

Another thing is to force Firefox to close. After, use a link to open FF. That should start the browser with the new page.