Recognize a scam website by double-checking spelling in the address bar

Filed under: Scams,Security - Mar 07 2017

When using your web browser to visit different websites on the internet, always double-check spelling in the address bar. Scammers typically use misspellings of popular websites to get you to divulge your secure personal and login information. Double-checking the website address can also give you an important clue into the authenticity of a pop-up or request to login to a website.

Also read: Address Bar vs Search Bar vs Search Box – which to use?

Anatomy of a support scam website – from the Microsoft Blog

The scam starts like any other. You are redirected to the website by nefarious ads. When the page loads, you get a pop-up message that says your computer has been locked because of virus infection. It asks you to immediately call a technical support number.

Click for larger view.

Figure 1. Dialogue box that pops up when the site originiftsnormalpro.xyz is accessed. Click for larger view.

The website also starts playing an audio message, a tactic to further cause panic, something that we’re seeing more and more in these scams. It says:

Important security alert! Virus intrusions detected on your computer. Your personal data and system files may be at serious risk. All system resources are halted to prevent any damage. Please call customer service immediately to report these threats now.

In usual scam sites, if you click OK or close the pop-up message, a dialogue loop kicks in. The website continues to serve the pop-up messages whatever you do, effectively locking your browser.
In this new site, however, if you click OK, things start to get very interesting.

It loads a page with what appears to be a pop-up message containing the same details, including the technical support hotline. You may think at this point you’re just getting the usual dialogue loop. But, upon closer inspection, it’s not really a pop-up message, but a website element of the scam page.

Click for larger view.

Figure 2. A fake dialogue box that is really a website element. Click for larger view.

If you click OK on the fake dialogue box (or basically anywhere on the page), it goes into full screen and brings in another surprise. At full screen, you get what looks like a browser opened to support.microsoft.com/ru-ru/en. But, alas, just like the pop-up message, the browser is just a website element.

Click for larger view.

Figure 3. A fake browser that is part of the design of the support scam website. Click for larger view.

This is how the scam site is able to spoof support.microsoft.com in the fake address bar. It even has the green HTTPS indicator to further feign authenticity. If you didn’t detect the scam at this point, you may think you were redirected to a Microsoft website and it’s serving you some messages about your PC.
Don’t fall for this. Exiting full screen puts things in perspective.

Click for larger view.

Figure 4. The support scam website outside full screen. Click for larger view.

Busting the scam

Just like all tech support scams, this new iteration is doing its best to make you think there’s something wrong with your PC. The new techniques are meant to improve its chances of you taking the social engineering bait.

The key to stopping the attack is to immediately recognize and break it. If you’re a Microsoft Edge user, there are a couple of ways to do this.

The first clue that something’s amiss is a message from Microsoft Edge. As the offending site goes into full screen, you get a notification from Microsoft Edge. You can exit the full screen at this point by clicking Exit now, and you stop the attack.

Click for larger view.

Figure 5. Alert from Microsoft Edge that the site has gone to full screen. Click for larger view.

The second clue is the change in the interface. Since the page is designed to look like Google Chrome, if you’re a Microsoft Edge user, you may catch the difference. Detecting the change in the interface may be easier said than done, but the opportunity to break the attack is there.

Click for larger view.

Figure 6. You can detect that the fake browser is different from the real one. Click for larger view.

Conclusion: Avoiding tech support scams

As this newly discovered support scam website shows, scammers are always on the lookout for opportunities to improve their tools. They can get really creative, motivated by the possibility of avoiding security solutions and ultimately increasing the chances of you falling for their trap.

Avoid tech support scam websites by being more careful when browsing the Internet. As much as you can, visit trusted websites only. Like most tech support scams, you are redirected to offending sites via malvertising (malicious ads). These ads are usually found in dubious websites, such as those hosting illegal copies of media and software, crack applications, and malware.

Use Microsoft Edge when browsing the Internet. It blocks known support scam sites using Microsoft SmartScreen. Microsoft Edge can also stop pop-up dialogue loops used by these sites. It also calls out when a website goes into full screen, giving you a chance to stop the attack.

Click for larger view.

Figure 7. Microsoft Edge blocks the support scam website using Microsoft SmartScreen. Click for larger view.