Tech support scams online have one objective - to make victims believe that the message they are seeing is legitimate. To do this, perpetrators employ official-looking message prompts, like BSoDs and red warnings, while including telephone numbers so the cybercriminals can easily connect with victims and scam them out of their hard-earned money.
With this in consideration, Michael Caballero, a web security expert recently found a vulnerability within the Microsoft Edge browser that could allow scammers to exploit its web filtering feature to use to display fake warning messages in any domain possible. In his Broken Browser blog, he explains that the issue arises within SmartScreen, which is a feature in the Edge browser to protect the user from malicious activities on the internet.
Within Edge, SmartScreen's warning messages are stored as "assets" inside the browser's folder. Through this, he found a way to customize the prompt. In the example above, tech support scammers can easily insert any information they want onto the message like a telephone number, and since it states that the website has been "reported" to Microsoft, the fake warning will seem legitimate.
Moreover, he discovered that the exploit can spoof the URL shown on the address bar, so people affected will think they're on the real domain, which can lower suspicions. To test this out, Caballero has created a demo website where anyone can customize their own SmartScreen message, and pick out any website that they want to appear as malicious for Edge to block. You can block reputable websites like Google, Facebook, and many others, and make it appear that they are unsafe.
You can read more of the bug's technical details on his blog, which can be found here.
Finally, according to Caballero, this exploit is currently unpatched. He has no plans of reporting it to Microsoft, as the company has reportedly ignored his submissions before.
Source: Broken Browser via Bleeping Computer
16 Comments - Add comment