Hackers Using the Browser’s Red Warning Screens to Begin Attacks

Personally, I’m glad the Edge browser has SmartScreen. Chrome users should also be glad because Microsoft is now offering that browser an add-on that gives those users the same protection as Edge users. SmartScreen warns you that the site you’re planning to visit may have malicious intentions. You don’t have to go there to find out because the browser has already done that for you. It’s something like a person warning you not to open a door because bad things are in the room behind it. It’s too bad predictable horror movies don’t have this function. If they did, the terrified girls in these films may think twice before deciding it might be a good idea to look around the cellar where the lights never seem to work.

But there are users who feel that the SmartScreen Filter is too proactive. Some feel that the protecting red screen comes up at inappropriate times and simply interferes with their browsing. It is possible to disable the filter but doing so exposes the user to a variety of attacks. Malware may also make use of the filter to do unsavory things.

If you have been lucky enough never to have seen this feature, here is what it looks like.

red screen

The code that creates the screen will specify which threats may lie in wait in the page ahead.

In December, 2016,  a researcher found that criminals were manipulating this feature in a number of browsers for financial benefit. The screens were made to give phone numbers that a user should call to fix a problem. Some of these screens are not red but are designed to look like they came from Microsoft Support. Many of them come with phone numbers.

fake microsoft support

The attackers hope to scare you into purchasing some ‘necessary’ product that will fix your system. The typical warning will be similar to this: “The removal of (3) Viruses is required immediately to prevent further system damage, loss of Apps, Photos or other files. Traces of (1) Phishing/Spyware were found on your computer. Personal and banking information are at risk.” If you call the number they give you, they may ask you to give them remote control over your device so they can “fix it”. They will then do some hocus pocus (like installing Firefox) and expect you to pay for this. Most people say they paid about $150. Consider this as the price of ignorance, which you can no longer claim after reading this post.

These so-called tech support scams have been going on for years. Recently, though, they have been getting better and more believable. They’ve also become more dangerous. If you give anyone remote access to your computer/device, you are asking for trouble because nothing can stop them from installing a remote access trojan right before your very eyes. They may make it look like it is some security tool so as not to make you suspicious, but once it’s installed, they can steal any information they want, including your credit card numbers and bank logins.

A new variation on the scam is to apparently freeze your browser on the fake support page. It appears as if you cannot browse to another site and, sometimes, not even open your task manager. In fact, your browser is not frozen. The attackers simply add some code to a page that maxes out your computer’s resources. It is referred to as the history.pushState() method. Here is the code that accomplishes this.

history push

You may not even be able to shut down your computer with a Ctl+Alt+Del command. In this case, do a hard reboot (push the “off/on” button for 5 seconds). Just don’t call the support number. It should be noted that some of these scams come bundled in software, so when you unpack the software make sure not to accept the default installation.

Although the Chrome browser has been scammed for some time, it is Microsoft’s Edge browser that now holds better scamming possibilities. I made the following scam page as an example. This is just a screenshot. The original used the Smartscreen html code and, on it, the link to “Google” would work.

facebook unsafe

So I could make a legitimate and frequently visited site appear, for some undisclosed reason, to be unsafe. I gave a fake message which I could tailor for my needs. Normally, these pages tell you to go to your homepage. Maybe the link goes there and maybe it doesn’t. I made it look like you could go to google.com. Actually, on the created page, I made it go to Microsoft’s homepage to show that you can’t believe every link you see. But I could have made it go to a page that contains malicious code. (Here is the technical information on how the researcher bypassed a patch to Edge.)

Malware has been known to disable the SmartScreen filter. In most cases, it is better to have SmartScreen warnings turned on. To make sure it’s enabled on your Edge browser, go to Windows Settings, Update & security, Windows Defender, App & browser control. There, you will see this.

smartscreen warn

You will also see other SmartScreen options that protect you from downloading infected apps.

As a last resort, you may want to do what one frustrated victim did, when he kept getting bothered by these fake red screen scams. He actually did call them.

“I called 100 times on 20 simultaneous channels. They answered, talked to my bots. Then they started to put my bots on hold. Then they started swearing, shouting to each other, about what is going on, I could hear in the background. Then I made 500 calls on 20 simultaneous channels to the number. After 300 phone (calls), they disconnected the number,” he said.

Recently, some of these scams have become so good that I really had difficulty determining if the message was actually from Microsoft or not. A list of some of these screen manipulation scams can be found here, but keep in mind that they are changing all the time and they continue to fool the unsuspecting. Do not call technical support numbers, download files or patches that are supposed to help you, or follow instructions to turn off SmartScreen protection. Microsoft will never give you a number to call and always check a link address by hovering the cursor over it. If it does not have a microsoft.com address, it is leading you to a scam support page. All browsers are susceptible to these scams, and Microsoft reports that the number of scam victims is on the increase. Most victims lost between $200 and $500, but others have lost thousands. A new trick involves combining a tech scam with an overpayment scam as in the following example.

tech scam

So scammers are upping their game daily. If you haven’t been targeted yet, you eventually will be, and you may not realize it’s a scam.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s