One easy way to quickly detect a Windows tech support scam is to look at the domain name that appears in the address bar of your browser. If you’re being told that Microsoft has found a problem on your computer and the address says something confusing like originifitsnormalpro.xys, you can be pretty sure someone’s trying to scam you.
When the scammers go full screen on you — as they do in a new campaign Microsoft is warning Windows users about — things get a little more complicated. At first glance, everything seems legit: the browser has that reassuring green button at the left that indicates the web page is secure and belongs to Microsoft. The address bar reads support.microsoft.com. The scary alert pop-up even shows “https://support.microsoft.com/ says:” at the top.
As Microsoft has noted, what you’re looking at is not a real browser window. It’s a full-screen webpage that’s pretending to be a browser — in this case, Google Chrome. For anyone not using Google Chrome as their default browser on Windows, the scam might break down right there.
Not everyone will notice details like the shape of the tabs, however… especially not when they’re focused on the scary alert in the middle of their screen. The full-screen window just provides a convincing backdrop for the real action.
Like other tech support scams, this one does its best to convince you that there’s really something wrong with your computer. The alert assaults users with warnings about very real malware: Zeus, a Trojan that’s been active since 2007, Banker.ID, which steals bank account information, and Trojan.FakeAV, a generic label that security software applies to bogus Windows antivirus programs.
And just like a good late night “as seen on TV” pitch, the scammers try to create a sense of urgency. They tell you that your computer will be locked and blocked from the network “to prevent further damage.” To make sure you feel compelled to take action, they ask that you call in the next five minutes… just like the Sham-Wow guy so famously did.
Source: SANS ISC SecNewsFeed @ March 3, 2017 at 07:24AM