Tech support scams may be old hat, but scammers are constantly reinventing them. The latest involves a wave of phishing emails that have proven to be a powerful tool for hackers to trick and ultimately extract money from victims.
The Microsoft Malware Protection Center reported Monday it’s tracking an active phishing campaign that contain links to convincing websites that display pop-up messages with fake warnings and customer service hotline numbers.
“The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text,” wrote Alden Pornasdoro, Jeong Mun, Barak Shein and Eric Avena, who co-authored the report.
They contend this method differs from typical cold-call tech support scams and web-based schemes. Criminals often use those to direct victims to malicious ads on dubious sites that spawn fake installers used to redirect traffic to bogus tech support sites prompting victims to call hotlines. Another classic scam includes malware such as Hicurdismos and Monitnev that display a fake BSOD or a phony error notification when an application crashes.
“The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam,” researchers said. “While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.”
The tech support phishing email samples collected by Microsoft purported to be from Amazon, Alibaba and LinkedIn. Link redirects, embedded in text, trace to what researchers said were likely compromised URLs such as “love.5[redacted]t.com”, “s[redacted]t.com”, and “k[redacted]g.org” that were mostly hosting “typical support scam pages.”
“Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars,” researchers warn. Microsoft warned of the full-screen style attacks in March, noting the malicious script used in the attacks belonged to the Techbrolo family of support scam malware.
Landing pages triggered pop-up messages with fake warnings for either malware infection, license expiration or a system problem. Warnings urged victims to call customer service hotline numbers.
“Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem,” Microsoft said. Another tactic included spawning “pop-up dialog loops” that regenerated each time a user clicked “close”, disabling the browser.
If called, scammers posed as agents that attempted to trick users into paying for fake technical support.
“Tech support scams continue to expand and evolve. They are becoming multi-faceted and are arriving via several infection vectors,” Microsoft said.