Breaking down a notably sophisticated tech support scam M.O.


(Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines.)

 

The cornerstone of tech support scams is the deception that there is something wrong with your PC.  To advance this sham, tech support scams have long abused browsers' full screen function. Coupled with dialogue loops, the pop-up messages that just won’t go away, and the spoofing of brands like Microsoft, tech support scam websites can be convincing.

The end-goal, of course, is to get you to call a technical support hotline, which then charges you for services you don’t need.

Recently we came across a new tech support scam website that stands out in the way it creatively uses the full screen function and dialogue boxes.

The scam is one of many websites we have discovered and blocked over the years. To achieve its end, the website uses a malicious script belonging to the Techbrolo family of support scam malware. Techbrolo is known for introducing the dialogue loops and audio message, which have now become staple in tech support scam sites.

Anatomy of a support scam website

The scam starts like any other. You are redirected to the website by nefarious ads. When the page loads, you get a pop-up message that says your computer has been locked because of virus infection. It asks you to immediately call a technical support number.

tech-support-scam-message-box-2

Figure 1. Dialogue box that pops up when the site originiftsnormalpro.xyz is accessed, asking you to call 1-844-313-7003

The website also starts playing an audio message, a tactic to further cause panic, something that we’re seeing more and more in these scams. It says:

Important security alert! Virus intrusions detected on your computer. Your personal data and system files may be at serious risk. All system resources are halted to prevent any damage. Please call customer service immediately to report these threats now.

In usual scam sites, if you click OK or close the pop-up message, a dialogue loop kicks in. The website continues to serve the pop-up messages whatever you do, effectively locking your browser.

In this new site, however, if you click OK, things start to get very interesting.

It loads a page with what appears to be a pop-up message containing the same details, including the technical support hotline. You may think at this point you’re just getting the usual dialogue loop. But, upon closer inspection, it’s not really a pop-up message, but a website element of the scam page.

tech-support-scam-fake-message-box

Figure 2. A fake dialogue box that is really a website element

If you click OK on the fake dialogue box (or basically anywhere on the page), it goes into full screen and brings in another surprise.

At full screen, you get what looks like a browser opened to support.microsoft.com/ru-ru/en. But, alas, just like the pop-up message, the browser is just a website element.

tech-support-scam-full-screen

Figure 3. A fake browser that is part of the design of the support scam website

This is how the scam site is able to spoof support.microsoft.com in the fake address bar. It even has the green HTTPS indicator to further feign authenticity. If you didn’t detect the scam at this point, you may think you were redirected to a Microsoft website and it’s serving you some messages about your PC.

Don’t fall for this. Exiting full screen puts things in perspective.

tech-support-scam-escape-from-fullscreen-1

Figure 4. The support scam website outside full screen

Busting the scam

Just like all tech support scams, this new iteration is doing its best to make you think there’s something wrong with your PC. The new techniques are meant to improve its chances of you taking the social engineering bait.

The key to stopping the attack is to immediately recognize and break it. If you’re a Microsoft Edge user, there are a couple of ways to do this.

The first clue that something’s amiss is a message from Microsoft Edge. As the offending site goes into full screen, you get a notification from Microsoft Edge. You can exit the full screen at this point by clicking Exit now, and you stop the attack.

tech-support-scam-full-screen-microsoft-edge-message

Figure 5. Alert from Microsoft Edge that the site has gone to full screen

The second clue is the change in the interface. Since the page is designed to look like Google Chrome, if you’re a Microsoft Edge user, you may catch the difference. Detecting the change in the interface may be easier said than done, but the opportunity to break the attack is there.

tech-support-scam-escape-from-fullscreen-2

Figure 6. You can detect that the fake browser is different from the real one

Conclusion: Avoiding tech support scams

As this newly discovered support scam website shows, scammers are always on the lookout for opportunities to improve their tools. They can get really creative, motivated by the possibility of avoiding security solutions and ultimately increasing the chances of you falling for their trap.

Avoid tech support scam websites by being more careful when browsing the Internet. As much as you can, visit trusted websites only. Like most tech support scams, you are redirected to offending sites via malvertising (malicious ads). These ads are usually found in dubious websites, such as those hosting illegal copies of media and software, crack applications, and malware.

Get the latest protection from Microsoft by keeping your Windows operating system and antivirus up-to-date. If you haven’t, upgrade to Windows 10.

Use Microsoft Edge when browsing the Internet. It blocks known support scam sites using Microsoft SmartScreen. Microsoft Edge can also stop pop-up dialogue loops used by these sites. It also calls out when a website goes into full screen, giving you a chance to stop the attack.

tech-support-scam-microsoft-edge-blocked-2

Figure 7. Microsoft Edge blocks the support scam website using Microsoft SmartScreen

 

Jonathan San Jose

MMPC

Comments (43)

  1. Ed says:

    I’ve seen this before [not on my computer]. I tend to reset the web browser to make sure nothing was installed.
    I don’t think the latest AV definitions on any browser can stop this from happening as it is usually served by ads.
    I tend to figure out the offending web site and block it in the firewall.
    BTWE, how do you reset Edge? In IE it’s easy via Internet Options in the Control Panel.

    1. Patrick Tawil says:

      I tried every anti virus, anti malware remover possible but to no avail. Only Microsoft Defender found it & remove it

      1. Timmy says:

        All Microsoft Windows 10 Pro windows anti-virus is up to date.
        This message popped up on the browser July 14, 2017.

  2. adwbust says:

    Pls add detection and removal for this js downloader. It spreads through usb drives. It’s a 2/28/17 variant and only Avira detects it so far today 3/7/17!

    SubmissionId=27f0ab5a-cdd4-4ce4-9b0a-160ef2922dc3

  3. melissa says:

    My pc has fake microsoft I’ver had several malware detected pop ups and had to shut down my computer. I’ve disablesd my third party people but wonder how to know which websites are safe.

    1. Ed says:

      A “fake” Microsoft? Interesting….

      1. Baw says:

        I just fell for this scam n they got into my computer after 30 minutes I finally hung up phone. I unplugged my computer n modem. What can I do to fix this problem now?? Help

  4. adwbust says:

    The js is Bondat worm! Im upset MSE and WD dont detect it! Clicking the file shortcuts in usb drive and running bat file to execute js should trigger something damnit! Do something!

  5. adwbust says:

    The js is Bondat worm! MSE and WD dont detect it! Clicking file or folder shortcut that runs bat file in usb drive root to execute js file should trigger something (engine, sig, monitor) damnit! Do something MMPC!

  6. WILLIAM says:

    I have had this on my pc for ages, it wasn’t until I did a deep scan it was noticed, the page does not let you move on, I knew it was fake but it came up every time I used the browser, can nothing be done about these? some poor person is going to get petrified by this intrusive message and will call them up..

  7. adwbust says:

    Hey, thanks MMPC for adding detection for that bondat worm.

    These bondat js are detected as nemucod. Pls correct naming and detect lnk and bat files as well. Pls consider my suggestion included in the submission.

    SubmissionId=0fa63e84-7909-47cf-a517-84ffb5bf714d

  8. adwbust says:

    I have submitted so much undetected PUA samples but none of them are getting analysed! I dont login when submitting but I enter Outlook email in Name field. That should be enough to link submission to MS account! Not all can login before they submit since usually they submit using infected PC! Have some common sense MMPC!

    Possibly prepscram

    SubmissionId=6bb65b4f-d32c-4cd3-b74c-a9e07e147938

  9. adwbust says:

    Lol that prepscram-like exe is now detected as Win32/Fuery. I guess thats just basic cloud “hash” detection by DSS. There’s refreshed variant served by link I gave and it’s not detected. Hmm.

  10. Doug says:

    I just got this a little while ago, I know about these fake messages. I simply go to my TASK MANAGER and right click explorer to “end task”. I then had MICROSOFT DEFENDER scan “C drive”, DEFENDER found it and it was removed.

    1. marine1842 says:

      I do the same process as “Doug”. I open the task manager and delete the bad guys with the end task command… I have also found that some resist the ‘End Task’ command, in that case I hard boot the PC.

  11. adwbust says:

    Salamat MMPC hehe 🙂

  12. Jamey says:

    Wow. Are they ignorant or what? Can’t they use Segoe UI for every text? And why they used a lousy screenshot of Chrome 52 on Windows 8? And those typos…

  13. Patrick Tawil says:

    Thank you. Very well detailed & helpful

  14. M says:

    That’s not the full extent of the scam. People who are not familiar with the schemes and call the phone number will then be instructed to download a remote tool, once the scammer remotes into the machine, they will run the terminal by typing cmd, then run the command Tree, explaining that he’s running a scan. While that’s running listing all directories and files, the attacker will write a message that shows up at the bottom that says infected files found, or some other message designed to cause the victim to pay the attacker monies to fix the problem. Once the scammer remotes into the computer they do all sorts of damage, like running syskey, disabling services, deleting all the restore points, etc.. Once the scammer gets the money, the victim is left with a crippled machine. The scammers use any number of remote tools, Teamviewer, Showmypc, GotoAssist, etc..

    Tech Support Scammer | Gets mad and attempts to put Syskey on VM
    watch?v=PjSKZm_pdcE

    Microsoft Tech Support Scammer gets RickRolled
    watch?v=Uelf3Bxj2Os

    Showing a Tech Scammer his IP and Location
    watch?v=G8wg6Ud4g0M

    1. Sally says:

      Similar to M’s 3/20/17 comment, happened yesterday — a laptop I’d had 2 days (probably clicked accidentally on an ad, which I used to have blocked). Popup, can’t remove, call Microsoft tech to clean the Trojan-like virus; allowed remote access, gave credit card info; Indian accents; watched as they removed my ESET altogether, against specific instructions. Various clues accumulated until it dawned this was a scam, too late. Immediately afterwards I had my credit card # changed, so their charge won’t go through. Then reported it to Microsoft (had to do a search for a phone #!) and to the FBI. The scammers said they were Global Tech Solutions, 1-866-211-0790, a MSN subcontractor, Microsoft certified techs, and that the charge on my credit card stmt wd read Wish Your Deals. But when they were “cleaning” the “corrupted” files they sent 2 emails from my email, to headstore@abestbrand.us, authorizing use of my credit card, with my name and address but fake SSN. I’ve reinstalled my ESET, uninstalled the security programs they installed (e.g., Ad Block Plus, CCleaner). It’s hard to find from MSN whether these techs are legit, had to do a search to find a tel.#. Had to learn about the scams from here & articles online not normally read by us technologically-challenged folks.

  15. Michael says:

    I started getting these alerts when I was checking out Viooz.com, it always tries to open some other website thing, or gives me that fake Microsoft alert page, I just click esc, and can close it after that, it always goes into fullscreen mode, and is very annoying. I run Windows Defender, it not only finds them, I had several found, it also removes them, but, the process is slow.

  16. Ed says:

    Someone I know got hit yesterday. Further compounded the issue by googling McAfee “support” and got someone not from McAfee. [I would assume the person has McAfee for AV]. This happened in Edge. Unfortunately if hit with this crud, can’t reset Edge by opening it.
    Internet Options in the Control Panel only works with IE, not Edge. Easy to tell someone how to reset IE. But Edge? Only thing I found is a PowersHELL command that isn’t easy to tell a novice what to do.

    1. Billie Fink says:

      This scam hit me earlier this month. I had seen it before, but managed to get out of it ? Not this time. I am 71 now, a bit more forgetful. I heard the night before on local news Seniors beware phone and computer scams ‘ I Knew NOT to phone ,but I did from a temp. phone ,not my phone. The asked to remote in, I said NO way. just tell me how much $$ do you want to release my old PC? he did get into my computer without me touching anything. I saw my mouse pointer moving…I asked how did you get in, he said I am Microsoft tech. that,s how we help you. I saw a screen with my email accounts, and my pw. visable. He said what do you see ? I said nothing ..He said he could fix a few problems but I had 1200 bad files he could put a rush on it, put 30 other tech guys could help out for $100.00 . I don’t have it , he said, your files and pictures.I am old, my photos are my dead relatives , I am in bad health so ,I don’t care .No ransom here.He said ,IF you can get $ in next hr.call this #, Not the 1st #.He told me an American name. I ph, the 2nd # a different guy, I told him what I thought of scammers ,I was crying. Man said , Mam, your computer is fine, you’re right ,It is a SCAM , I will help you,He said watch your screen, he started doing things remotely , and my McAfee did not warn me of anything. I asked why was he helping me for free. He said scammer went too far, not supposed to terrify me, just scare me a little, He told me he has a grandmother also, He spelled his real name , and said he was sorry. I found one scammer with a conscious ..

      1. got suckered today says:

        today I got this on my screen and fell for it , although I was wary , they did get into my computer now I wonder how much damage they have done and what have I exposed my emails and contacts to. I am very upset about having believed this . how much damage did they do if they had me remotely for over 90min.

  17. scott says:

    I did a full scan with defender, found the issues, which is the one this post is about, cleaned the virus, then deleted the virus all through defender. Yet when I click on Microsoft edge is happens again.
    Interestingly It does not impact Microsoft explorer.
    How do I remove this once and for all?
    This is the location on my laptop if that helps. PS – I am NOT a techie.

    file:C:\Users\scott\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R0A8NEJ8\chrm[1].htm

    Thank you,

    1. Ed says:

      Edge and IE are made differently. Unsure if they share anything.
      You can tell since Internet Options in the CP has nothing to do with Edge.

    2. Robin says:

      Same here. It appears to be gone after cleaning using Defender, and after rebooting and rescanning. However, as soon as I open Edge again it is there. Does not seem to affect Chrome. Any other suggestions would be welcome!

  18. Jerry Barton says:

    Thank you for helping me yhis has been a recurring problem and I hope this has fixed it!

  19. james simms says:

    the first time i saw this i called that number and got their routine they wanted $200 for protection glad i did’nt pay for it.

  20. Peter B says:

    I also have just had this support scam invade my google chrome browser , i also have Firefox which was affected by multiple pop-up windows , i was foolishly tricked by the scammers to call them to which i allowed them to go into my computer to fix the problem claiming i got the virus from going to adult websites and i had several hackers from Russia,China and Italy stealing my identity ect.,then to fix it he wanted to install software to fix it costing me $350,i declined ,then the price went down ,suggesting i purchase a post office visa debit card to pay and i was unable to turn my computer off ,i said i would call back after i thought about it,i found that then my windows defender anti virus had picked him up and i deleted it.

  21. ALISON HILL says:

    Im also getting this & my partner, neither of us are computer wizards & I know this may sound a bit lame,,,,,,but any advice would be great 🌸 I have a lanova think pad & my partner has my old toshiba satallite pro. Thanx guys🌸

    1. Peter B says:

      Run your windows defender on deep scan ,it may take several goes to get it then you will get a big red warning -clean your PC- run this and it will remove it as it is buried in your cache,and also uninstall your infected browsers ,and if you like give the scammers a call on their supplied ph-number and have a listen to what they have to say but act as if you are unaware of the scam and don’t give them any information on who you are or allow them to get into your computer,they will make claims that you will be unable to turn off your computer and that windows defender is useless -it’s all lies and a con,you will hear in the background office noises [all fake],ask them about the cost to fix the so called hackers in your computer ,tell them you will think about and hang up, [it’s interesting to hear just how professional they sound- it’s very convincing ],,,good luck

  22. BlakeBaker says:

    I simply got this somewhat whereas agone, i do know concerning these pretend messages. I merely visit my TASK MANAGER and right click explorer to “end task”. I then had MICROSOFT DEFENDER scan “C drive”, DEFENDER found it and it absolutely was removed.

  23. Sharon says:

    This scam shut down both my laptops in the same week. I dd not call the numbers because i could clearly see it was a not so good screenshot. The voice kept saying over and over to call the number, or I would lose of my computer. I agonized for six hours and then ran my McAfee scan which found nothing. I googled looking for ways to fix it myself but nothing worked. Guess what? I pressed escape and lo and behold there was a pop up that asked if I wanted to close all tabs which I did and it was gone! Good riddance! Now, about an hour later a woman with an Indian accent called to help me with my Microsoft problem saying she is with Microsoft. I have no idea how she acquired my number but when she phoned, my son answered and totally wasted her time for over an hour. I wish I had recorded because he was so funny I was laughing/crying.

  24. Baw says:

    I just fell for this scam and finally hung up the phone after 30 minutes, they gained access to my computer once I hung up phone I unplugged my computer n my modem!! How can I fix this problem now?

  25. Dennis says:

    Thanks, it’s useful, but obviously only focused on one type of adware which drives unsuspecting users into the hands of the scammers.

    There’s an entire world of webspam supported industry which uses black-hat SEO in order to get ranked highly on Google and Bing for very targeted search queries.

    They build link networks across their websites and manipulate search engines. And very successfully!

    Here’s a breakdown containing their techniques, examples of targeted companies, scam phone numbers, and how to avoid dialing the wrong number: https://fatsecurity.com/article/tech-support-scam

  26. Kathy says:

    I received this scam today and was unaware and was on google chrome. I foolishly fell for it. when I realized I was being scammed I immediately ended the call and removed the access to my computer by going to my control panel and also removed chrome browser. I am now scanning my computer. I will always use Microsoft Edge. Hoping this does the trick to remove any spyware they might have installed

  27. Kathy says:

    please let me know if you get an answer. I did the same

  28. Janet Sweeny says:

    We still have the offender on MS Edge. We got every malware, virus thing and scrubber named to get. It is still there. I di copy a plan that may work. We have not tried it yet. It told the user to open a google page on a new tab in Edge. Then click on the “X” and disable the offending page. We”d give it try when we have the time to do it.

  29. Bob Lucian says:

    I am an 81 year old man not used to working with computers…. the information above is WAY over my head…. You believe you are dealing with Computer savvy people….. May be in some cases but, generally you are dealing with people with a little computer knowledge & skill….

  30. Karissia says:

    Help! I’m the dummy that fell for the scam. I was working online using MS Edge and my son started pressing keys on my laptop. The screen popped up and I couldn’t exit out. I called the number and after about 15 minutes, I realized that it was not Microsoft, but not before they got access to my computer. Once I realized it, I tried to close everything out and they kept stopping me. I shut the computer off and unsynced my accounts and devices and started changing all my passwords (using a device that was not on at the time). I’m freaking out and don’t know what else to do. I’ve run a virus scan, but nothing was detected. Please help!

  31. Steven C. Bennett says:

    Yesterday, I got this similar popup from “Microsoft”, saying my laptop was a victim of a “zyka virus” (or something like that). It took over my screen (I use Google Chrome). The number of the “support staff” as provided to call was 1-888-571-3141. After this “warning” wanted me to enter my name, email name, etc., I stopped and tried to call the number. The man who answered had what I perceived as an Indian accent. I asked them if they were really from Microsoft, and when I said I want to make sure this is not a scam, they quickly hung up.
    To get rid of this bad popup, as I have had to do on other occasions, I shut down the PC, unplugged it and the battery, waited about 30 seconds, and restarted my PC. The “warning popup” did not return.

  32. RD says:

    This scam almost had me. I called the so-called tech support, talked to a guy named “John” with a clearly Indian accent (so, I thought). When he mentioned about a software I should purchase which I thought was too expensive, he continued to try to convince me to buy the slightly cheaper version. He had control of my screen. As he kept talking, I started to doubt him and told him I can’t afford the software he was telling me to buy. Then he kept insisting. But was convinced already that it was a scam. So I put down the phone and turned off my computer. But when I turned on the computer again, The pop up opened again. But I found a way to close it. Sadly though it still comes up every now and then, like just a few minutes ago. Turned off the computer again. Started it and opened a private browsing window so it won’t come up again. Searched for the offending site and deleted it from the history. I hope Windows and other browsers will find a way to block sites like these tech support scams.

Skip to main content