A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.
Figure 1. Tech support scam page launching the default communication app with the fake hotline 001-844-441-4490 ready to be dialed
Most tech support scams rely on social engineering: They use fake error messages to trick users into calling hotlines and paying for unnecessary tech support services that supposedly fix contrived device, platform, or software problems.
To create the impression of a “problem”, tech support scam websites attempt to lock the browser. Some do this using pop-up or dialog loops—they embed malicious code in web pages that cause browsers to continuously display alerts. When the user dismisses an alert, the malicious code invokes another one, essentially locking the browser session.
Most browsers, including Microsoft Edge and Internet Explorer, have released a solution for this behavior, allowing users to stop websites from serving dialog pop-ups. Browsers now can also be closed even with an active dialog box.
Figure 2. Microsoft Edge prompting the user to stop a pop-up dialog loop
This streamlined tech support scam forgoes the use of dialog boxes and instead contains code that has a click-to-call link that it automatically clicks.
Figure 3. Click-to-call code in tech support scam website
When clicked, the link opens the default communication or phone call app, prompting the user to call the fake technical support hotline already prepopulated in the app.
With click-to-call links, tech support scams do not have to be as elaborate as many current tech support scam websites. They don’t have to rely on scary messages or pose as legitimate error messages to convince victims to call the phone number.
Figure 4. Recent tech support scam websites with various fake error messages and phone numbers
Instead, scam sites can be very simple, with just a fake hotline number and a simple message like “We’re here to help”, as is used by the actual scam page below.
Figure 5. Tech support scam website before the communication app is launched
Although the page is simple, the scam is aided by an audio file that automatically plays as the website is displayed. This is a common technique used by the Techbrolo family of support scam script malware. The audio message in this new tech support scam website says:
Critical alert from Apple support. Your mac has alerted us that your system is infected with viruses, spywares, and pornwares. These viruses are sending your credit card details, Facebook logins, and personal emails to hackers remotely. Please call us immediately on the toll-free number listed so that our support engineers can walk you through the removal process over the phone. If you close this window before calling us, we will be forced to disable and suspend your Mac device to prevent further damage to our network. Error number 268D3.
The audio message is characteristic of tech support scams in its use of scare tactics. However, this technique seems to be optimized for mobile phones. The website uses responsive design, and the click-to-call can directly launch the phone function on smart phones.
Figure 6. Tech support scam website launches the phone call app on a mobile phone
This goes to show that the threat of tech support scams affects users of various platforms, devices, and software.
Tech support scams heavily use templates so that they can reuse websites to launch campaigns using multiple hotline numbers. Based on our tracking of tech support scams campaigns and methods, we know that scammers frequently change the phone numbers they use. In the August-September timeframe, for example, 33% of tech support scam numbers were used in campaigns that lasted less than a day.
The hotline number on a tech support scam template can be altered simply by swapping out the phone number set as parameter in the URL. The phone number in the URL is displayed in the fake error message on the page and/or the dialog boxes. Most tech support scam templates we’ve seen have a default phone number that is displayed when there is no phone number in the parameter.
Figure 7. A sample tech support scam template used with several phone numbers
The new tech support scam website also uses this method. However, unlike other scam sites, it doesn’t have a default number.
Figure 8. The tech support scam with click-to-call link with no phone number
As of this writing, we’re not seeing widespread campaigns using this new and emerging tech support scam technique. But because the website accepts URL parameters, we can assume it is being sold as a service in the cybercriminal underground. We did find that the website doesn’t validate the parameters, so technically any number can be passed as the phone number, and it can be automatically used by this tech support scam site.
We have been tracking tech support scams, and the click-to-call technique is just the latest innovation from scammers. Unfortunately, this is probably not the last we’ve seen of these threats.
However, at the core, tech support scams are a social engineering attack. Legitimate error and warning messages don’t include a phone number. On the other hand, legitimate technical support websites don’t use scary error messages to convince users to call. In this example, users can avoid being scammed simply by not proceeding with the call. In general, if a site automatically launches your calling app, it is likely malicious. Don’t press Send—you might end up being charged for calls or you might fall victim to a bigger scam once you talk to the criminals behind the scam site.
To help Windows 10 users stay safe from tech support scams, Microsoft Edge blocks tech support scam websites. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block tech support scams and other malicious websites, including phishing sites and sites that host malicious downloads.
Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure customers are protected from the latest threats in real-time.
Jonathan San Jose
Windows Defender Research team
Questions, concerns, or insights on this story? Join discussions at the Microsoft community.