Tech Support Scammers now use cloaking method to attack victims

Cybersecurity firm Malwarebytes Threat Intelligence warned about a malvertising campaign that exploits Google Ad to redirect potential victims into a Windows Support Scam site where Windows Support Alert is used to get the victim’s telephone number. The attackers are observed to display fake alerts from Windows Defender to request potential victims to contact Microsoft Support agents.

According to Malwarebytes the threat actor speculates the victim’s browsing behavior of searching any website and that is by using the website’s name rather than its URL on the address bar. The threat actor then displayed ad contents resembling the victim’s searched contents. However, when the victim clicks on the ad it redirects to a malicious website. The threat actors have managed to avoid web crawlers, bots, and VPN users and quickly gain access to the victim’s IP address. The threat actor has been observed to show legitimate content to Google while displaying different content to potential victims in this way they evade detection. The threat actor first confirms that the potential victim is actually a human and not a Google bot only then do they redirect them to the tech support scam page.

The threat actor is observed to perform two redirect operations, first is called a cloaking domain where the threat actor inspects whether to redirect to a legitimate web page or to the scam page. Only after confirming the victim’s status do they redirect to the malicious tech support scam page. Threat actors use the iframe which occupies 100% width and height of the page and displays the security alert from Windows Defender and it hides the suspicious URLs so that the victims only see .com domains. The victim is then connected to overseas tech support centers where the scammer requests the victim to download remote access tools like TeamViewer so that they can access the victims’ devices.

In view of this Microsoft Support scam recently Microsoft issued a statement to aware users of the recent advent of tech support scams. They said, “Tech support scams are an industry-wide issue where scammers use scare tactics to trick you into necessary technical support services to supposedly fix device or software problems that don’t exist. At best, the scammers are trying to get you to pay them to “fix” a nonexistent problem with your device or software. At worst, they’re trying to steal your personal or financial information; and if you allow them to remote into your computer to perform this “fix,” they will often install malware, ransomware, or other unwanted programs that can steal your information or damage your data or device.” Microsoft has also provided detailed instructions on how tech support scams work and how to protect against them. The tech giant has clearly mentioned, “Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer. If you didn’t ask us to, we won’t call you to offer support.” They have also instructed the users to run a Windows Update to be secured.