Fake Cookie Policy Prompt 

In this case, the malicious domain displayed what appeared to be a shopping page, blurred out behind an overlaid cookie banner. The consent text looked ordinary, complete with a link to a supposed “Cookie Policy.” But the Accept button was hyperlinked directly to a DigitalOcean-hosted application—the real goal of the page.

‍

‍

Mouse Movements Trigger Redirect

The attackers didn’t stop there. To maximize success, the site tracked mouse movements and automatically redirected users if the cursor moved beyond the top 10% of the screen. In other words, visitors didn’t even need to click “Accept”; simply moving their mouse was enough to trigger the redirect. 

This simple logic also enables malicious sites to evade automated web crawlers and security scanners that do not emulate mouse movements.

‍

‍

Server-Side Logic, Differing Outcomes

Once redirected, users experienced different outcomes depending on server-side logic. Some were quietly routed to Walmart.com, a benign site, making the campaign appear harmless during casual investigation and hiding the campaign’s true end goal. Others were sent to the malicious DigitalOcean app, which immediately launched into a full-screen fake security alert. Accompanied by blaring audio, the page impersonated Microsoft Defender and claimed the computer was infected with a virus. Victims were urged to call a fake support number, a common tactic in tech support scams.

‍

‍

Conclusion

This attack illustrates how adversaries exploit user expectations and common design patterns to lower defenses. A cookie consent banner is something people encounter multiple times a day; in this case, it was weaponized to initiate a multi-step scam. Redirect logic and fallback routes further obscured the malicious activity, while a digital storefront, cookie banner, and the use of a trusted cloud provider domain added credibility.

‍

The fake cookie consent serves as a reminder that attackers continue to attempt to evade technical defenses, while ultimately exploiting human expectations and user trust. In this case, Keep Aware identified the initial site as a high-risk, newly registered domain with suspicious content and stopped the user before they could even be redirected to the full-blown tech support scam. Even if the user had proceeded, Keep Aware would have detected the malicious phishing site itself and blocked access, ensuring protection at every stage of the attack chain.

‍

IOCs

Domains

• chiccartt[.]online
• stingray-app-wdz6t[.]ondigitalocean[.]app
• hjhdiippppp1[.]z13[.]web[.]core[.]windows[.]net

‍

URLs

• https[:]//chiccartt[.]online/
• https[:]//stingray-app-wdz6t[.]ondigitalocean[.]app/
• https[:]//hjhdiippppp1[.]z13[.]web[.]core[.]windows[.]net/Wi0nHelpSh0errc0de030/index.html?Anph=1-888-678-1497&_event={alphanumericString}

‍

‍