Tech support scams coming as phishing pages that contain fake alerts urging you to call for immediate assistance are common place these days. We collect hundreds of such URLs each day and have observed countless tricks to fool users. In this post we examine a couple of sneaky techniques targeting Google Chrome users.
The fake address bar
This is an interesting one because for years we have been telling people to double check the URL in the address bar to know if a website is really what it claims to be. When this scam page loads it runs in full-screen mode and prevents the user from easily closing it with an infinite loop of alerts.
Now take a look at the address bar. For all intents and purposes it does look like the legitimate Microsoft website, although the ‘ru-ru’ (Russia) portion of the URL is a fail in an otherwise clever design. (There are other bits of Russian here and there in the source code, which perhaps link to the original author?).
Let’s have a look under the hood to find out exactly how they are pulling this one. We notice that the address bar is nothing but a JPEG picture that is placed at the right spot to look like an actual address bar when the page is loaded in full-screen mode. To make matters more confusing this particular scam is hosted on Amazon, and that is the correct address bar.
The fake alert dialog
A nifty feature in Google Chrome is the “Prevent this page from displaying additional dialogs” option particularly useful when certain websites ask you “Are you sure you want to leave this page?” followed by “Are you really, truly sure you want to do it?” and some.
Tech support scams have similar alert windows except we found some that are completely made up. Putting a checkmark and clicking OK actually produces the opposite result of what you’d expect, to keep you more frustrated and ready to throw your computer out the window.
We almost missed that one for a real alert dialog, except that they got the spelling wrong (at least in American English) and typically a ‘dialogue’ is a conversation between people, nothing to do with a ‘dialog box’. Below is the real dialog from Google Chrome:
Note the additional trick that the scammers added though: “Press ESC, to close this page!” A couple of things wrong with this: first, the grammar is incorrect as you would not put a comma in the middle of that sentence. Also, this is not a Google notification. Only the Prevent message and the OK buttons are legit. The ruse is to have people press the escape key instead of placing a check mark and clicking OK, leading to another round of fake alerts and more frustration.
Call centres located in India (for the most part) are receiving thousands of calls each day from desperate victims prime to be defrauded of hundreds of dollars by rogue operators playing the Microsoft technician game.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.