cancel
Showing results for 
Search instead for 
Did you mean: 

WARNING FBI LOCKED BROWSER!!!

SOLVED
Highlighted
SUMO Contributor

WARNING FBI LOCKED BROWSER!!!

I was surfing the web, when somehow I landed on the web page below. The web page displayed a so-called message from the FBI (you know the one), and Firefox was locked. I shut down FF via the Windows Task Manager. When I tried to restart FF, FBI was back. I shut FF down. Then, using the Open New Window option, I was able to get FF up. Here is the web address. If you have site blocking or pop-up add-ons, add this in.


http://fbi.gov.====REMOVE===


id561073976-7652854433.===REMOVE===


v886341'.'com

de linkified v886341 dot com J99

1 ACCEPTED SOLUTION

Accepted Solutions
Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

Preventative Measure

See /questions/981475#answer-516884 downthread

Using the sample site John99 mentioned, I created a script to defang that page and others that use similar techniques. You can add it to your Bookmarks Toolbar for future use in the unfortunate event that you run into one of these pages. 
http://dev.jeffersonscher.com/bookmarklets.html#escape  
Also see explanation and screenshots  /questions/981475#answer-516977 

Advice on what to do if you get this sort of attack. Speaking from looking at the page I got from the now removed link in the Original post.

BTW the site exists still from the link in the OP it is however not showing in Google searches that I tried.


Here is the fix dead simple solution

  • You may want to carefully note the full information in the address bar .
  1. Try to close the tab once only
  2. You will get a popup use the mouse to select the [Leave Page] button but do NOT left click.
  3. Now use the keyboard key [Enter] (or [Return]) after a second or so it should auto repeat hopefully rapidly enough to clear the problem in a few seconds. The rogue tab will then close
  4. It may then be a good idea to clear the rogue site from the History. Use the forget option.
    Remove websites from the Awesome Bar suggestions_clearing-all-items-for-a-single-site

  • Note the rogue site is likely to identify your country and send information appearing to come from your country or a multi country official body. Europol EC3 or FBI for example
  • You may wish to copy and paste the address from the location bar. It may be useful if you wish to report the problem. Should you report this on a site replace all dots with the word dot.
    (for instance v88634.com as v886341(dot)com and s845340.com as s845340(dot)com )

For info a current one I see is

http://europol.europe.eu.id974784510-4458260206.s845340.com/?flow_id=8614&414304=33302/case_id=46449  


The site does

  • Scare people using some information that looks correct and some that is plausible. Impersonating police or similar sites.
  • Appears to lock up the browser
  • Demands and presumably collects money with a 12 hr deadline.
  • Does do some sort of validity check on the cash voucher

What does NOT work

  • Following most of the advice about Malware.
    Because you do not have malware installed on your computer.
  • Resetting or re installing Firefox
    Resetting and reinstall normally leave the session store information alone.

What is not worth trying

  • Reinstalling the Operating System
    That is overkill
  • Blocking the fbi site
    https://www.fbi.gov/ or https://www.fbi.gov/ They are genuine. Firefox may give you a warning, as they have security issues !!
    (A known problem Bug 863517 - https://www.fbi.gov/ has active mixed content (JS and CSS) that are blocked by the mixed content blocker )
    Or the Europol site
  • Using the popups and clicking one at a time. The popup floats over your browser and will disappear with each single click. The file I have takes over 70 clicks.

CARE
Some superficially similar warnings may be from malware that does encrypt your files, or otherwise damages your System

I will mark this as the solution to this problem as it will solve the issue.

2013-12-28-20-38-12-ef4fac.png 2013-12-28-20-37-56-50480c.png
23 REPLIES
Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

No doubt the first link is genuine and the second is a scam.

SUMO Contributor

Re: WARNING FBI LOCKED BROWSER!!!

When I posted the link, I broke it up to prevent anyone from going there by accident. The FBI part is just part of the address, not to the real web site, I sent a report to the Real FBI via their Internet Crime Complaint Center (IC3)

Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

I tried the domain only v886341 dot com and that itself showed as a link in your post and led to a scam site. In my case displaying my IP Address and the site mentions Europol

As per this report almost identical

SUMO Contributor

Re: WARNING FBI LOCKED BROWSER!!!

Using the Open New Window item on the Windows 7 Task Bar Jump List for the pinned Firefox icon? That's a nice trick. Certainly easier than typing

firefox.exe "about:blank" 

in the search or run box on the Start menu.

If users do not mind losing the rest of the tabs in their previous session, this might be the easiest way to restart.

Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

I reported to Google, a couple of other sites & filed a Bug.

Bug 953147 - Ransomware locks Firefox tab, uses onbeforeunload and catchControlKey

SUMO Contributor

Re: WARNING FBI LOCKED BROWSER!!!

jscher2000. All they have to do is check their history.

John99. Very nice. BTW, how do I look up a bug report?

Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

Preventative Measure

See /questions/981475#answer-516884 downthread

Using the sample site John99 mentioned, I created a script to defang that page and others that use similar techniques. You can add it to your Bookmarks Toolbar for future use in the unfortunate event that you run into one of these pages. 
http://dev.jeffersonscher.com/bookmarklets.html#escape  
Also see explanation and screenshots  /questions/981475#answer-516977 

Advice on what to do if you get this sort of attack. Speaking from looking at the page I got from the now removed link in the Original post.

BTW the site exists still from the link in the OP it is however not showing in Google searches that I tried.


Here is the fix dead simple solution

  • You may want to carefully note the full information in the address bar .
  1. Try to close the tab once only
  2. You will get a popup use the mouse to select the [Leave Page] button but do NOT left click.
  3. Now use the keyboard key [Enter] (or [Return]) after a second or so it should auto repeat hopefully rapidly enough to clear the problem in a few seconds. The rogue tab will then close
  4. It may then be a good idea to clear the rogue site from the History. Use the forget option.
    Remove websites from the Awesome Bar suggestions_clearing-all-items-for-a-single-site

  • Note the rogue site is likely to identify your country and send information appearing to come from your country or a multi country official body. Europol EC3 or FBI for example
  • You may wish to copy and paste the address from the location bar. It may be useful if you wish to report the problem. Should you report this on a site replace all dots with the word dot.
    (for instance v88634.com as v886341(dot)com and s845340.com as s845340(dot)com )

For info a current one I see is

http://europol.europe.eu.id974784510-4458260206.s845340.com/?flow_id=8614&414304=33302/case_id=46449  


The site does

  • Scare people using some information that looks correct and some that is plausible. Impersonating police or similar sites.
  • Appears to lock up the browser
  • Demands and presumably collects money with a 12 hr deadline.
  • Does do some sort of validity check on the cash voucher

What does NOT work

  • Following most of the advice about Malware.
    Because you do not have malware installed on your computer.
  • Resetting or re installing Firefox
    Resetting and reinstall normally leave the session store information alone.

What is not worth trying

  • Reinstalling the Operating System
    That is overkill
  • Blocking the fbi site
    https://www.fbi.gov/ or https://www.fbi.gov/ They are genuine. Firefox may give you a warning, as they have security issues !!
    (A known problem Bug 863517 - https://www.fbi.gov/ has active mixed content (JS and CSS) that are blocked by the mixed content blocker )
    Or the Europol site
  • Using the popups and clicking one at a time. The popup floats over your browser and will disappear with each single click. The file I have takes over 70 clicks.

CARE
Some superficially similar warnings may be from malware that does encrypt your files, or otherwise damages your System

I will mark this as the solution to this problem as it will solve the issue.

2013-12-28-20-38-12-ef4fac.png 2013-12-28-20-37-56-50480c.png
Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

fredmcd-hotmail, there was no need to add the duplicate information you added in Bug 616853 as the information was already in Bug 953147 for example among other duplicate reports of same or other variations. Keep in mind that whenever somebody posts in a bug the people CC'd essentially get spammed with email reports on these comments and bug changes and this along with the fix it fix it fix it comments in a bug can annoy people (who can fix it) enough to well ignore it and look at other bugs in meantime to spend time on. Comment 30 by Boris Zbarsky (bzbarsky) is a example on the annoyance.

Also note that many of the Mozilla people are on vacation still until January 1st or 2nd or so so do not expect things on this bug to happen as quickly until then earliest.


These locked browser scareware or ransomware sites are not new as some may think as they have been floating around for some months if not (with older variants) for years now since 2009 with them popping up in Canada/USA since 2012 as for example the current RCMP locked browser variation had the real RCMP doing a media advisory back in February. http://www.rcmp-grc.gc.ca/on/news-nouvelles/2013/13-02-18-kitchener-eng.htm

And a older one in July 2012. http://cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=50&languageId=1&contentId=26058

A article with a examples gif on ones from 2012. http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware


edit: tried to add a image but it does not show. edit2: ok now it does.

2013-12-31-19-26-37-584de7.png
Site Moderator

Re: WARNING FBI LOCKED BROWSER!!!

James my observation is that what may be new
or documented less is this specific type that does not actually use anything other than the web page itself.

None of the recent Firefox sumo threads I just posted in seem to offer suitable instructions for this particular variant, neither does my local Europol EC3 advice or the link you posted http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware.

I had seen the original Bug 616853 myself before filing Bug 953147 but thought this differed enough that it may possibly be considered separately. One of our few forum threads on fbi bugs has in the order of 9k hits, that's moderately high for this forum.