(Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, New tech support scam launches communication or phone call app.)
Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.
Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.
However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:
The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.
The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.
Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.
Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.
Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.
The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:
Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.
Fig 4. Redirects to pharmacy sites
In most cases, however, the redirector websites eventually lead to typical support scam pages.
Fig 5. Redirects to support scam site
Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.
_Fig 6. Tech support scam site with fake warning and support number _
The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.
Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.
Tech support scams continue to expand and evolve. They are becoming multi-faceted and are arriving via several infection vectors. A multi-layered defense is necessary.
Windows 10 has a comprehensive protection stack that defends against multi-faceted threats. New and updated features in Creators Update provide even more protection for devices against the latest and advanced threats. Upgrade to Windows 10, if you haven’t already, and keep your computers up-to-date.
Microsoft Exchange Online Protection (EOP) has built-in anti-spam filtering capabilities that help protect Office 365 customers from email threats, including tech support scams that arrive via email. Office 365 Advanced Threat Protection helps secure mailboxes against attacks by blocking emails with unsafe attachments and malicious links, including time of click protection. Outlook.com anti-spam filters also provide protection against these scam emails.
Use Microsoft Edge when browsing the Internet. It uses Windows Defender SmartScreen (also used by Internet Explorer), which blocks tech support scam websites and other malicious websites, as well as malicious downloads.
Figure 7. Microsoft Edge blocks known support scam websites using Windows Defender SmartScreen
Microsoft Edge also helps stop pop-up or dialog loops that are often spawned by tech support scam websites. It does this by allowing you to stop web pages from creating any more messages when the first one is dismissed:
Figure 8. Dialog loop protection in Microsoft Edge
When a website serves a dialog loop, you can also try to close the browser window. Alternatively, you can open Task Manager (by pressing CTRL+SHIFT+ESC), select the browser under Apps, and click End task. In future updates, Microsoft Edge will let you close the browser or specific tabs even when there is a pop-up or dialog message.
To report a tech support scam site using Microsoft Edge, select More […] _while you are on the site. Select _Send feedback > Report unsafe site, and then use the web page that opens to report the website. In Internet Explorer, select the gear icon and then select to Safety > Report unsafe website.
Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure you are protected from the latest threats.
Tech support scams employ various social engineering techniques to get potential victims to call fake support hotlines. Do not call hotline numbers displayed in pop-up messages. Error and warning messages from Microsoft do not contain support numbers.
Some scammers might contact you directly and claim to be from Microsoft. Microsoft will not proactively reach out to you offering unsolicited technical support. To reach our technical support staff, visit the Microsoft Answer Desk.
For more guidance and a comprehensive list of scam numbers to avoid, read about avoiding technical support scams on Windows Defender Security Intelligence.
Alden Pornasdoro, Jeong Mun, Barak Shein, Eric Avena