Researchers at Barracuda have identified CypherLoc, a clever web-based scam that locks internet browsers and then tricks people into calling fraudulent technical support lines. Since the beginning of 2026 the kit has been used in around 2.8 million attacks worldwide. The deception represents a new evolution in so-called scareware, moving away from installing obvious harmful software and instead operating entirely inside the victim's web browser. It relies on fear and confusion rather than traditional viruses.[1]
The process typically starts with a phishing email. This is a deceptive message that looks genuine but contains a dangerous link, either in the text or in an attachment. When the recipient clicks the link, a web page opens that appears completely normal at first. Hidden inside the page is special code. This code stays dormant until it detects it is running on a real person's computer rather than a security testing tool. Once the conditions are met, the page suddenly changes. It takes over the entire screen, locks the browser so the user cannot easily close it, and displays alarming fake security warnings.
CypherLoc uses several smart techniques to avoid being spotted by security software. The harmful instructions are stored in an encrypted form and only unlock when a specific secret code appears in the web address. If security scanners or test environments open the page, the code detects this and does nothing, showing only a blank screen instead. After the code activates, the original page wipes itself and loads an entirely new fake page. This sudden switch makes it harder for experts to examine what is happening. If anyone tries to inspect the page using browser tools, the system deliberately slows down or becomes unstable, creating the illusion of a genuine computer problem.
Once the browser is locked, the scam applies strong psychological pressure. Loud warning sounds play automatically. The victim's own public IP address appears on screen to make the warning feel personal. Fake login forms ask for usernames and passwords but do nothing with the information. The goal is simply to increase panic. The page disables normal controls such as right-click menus and hides the mouse cursor. Any attempt to close the window or escape triggers the lock again. A prominent phone number is displayed as the only apparent way to fix the supposed problem. Victims who call are connected to scammers pretending to be from legitimate companies such as Microsoft. These operators then use conversation tricks to obtain passwords or other sensitive details.
Barracuda recommends several practical steps. Strong anti-phishing filters, up-to-date browser protections and endpoint security software can help block suspicious scripts before they activate. Equally important is user education. People should know that genuine security warnings never demand immediate phone calls, never lock the browser, and never ask for urgent action through pop-up messages.
In expert comment, the manager of Barracuda’s Threat Analysis Team, Saravanan Mohankumar said, “CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective.” By staying calm and closing the browser through task manager or simply turning off the device if needed, users can avoid falling for the pressure.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/stealthy-browser-lock-scam-9407.html
Comments