Microsoft Edge’s security alerts vulnerable to tech support scam abuse

jayar.decenella@gmail.com' By: Jay Decenella
2 minute read

While Microsoft Edge is touted as more secure than Chrome and Firefox, the browser’s security alert is susceptible to technical support scam abuse. A security researcher has discovered a vulnerability in Edge that could let scammers display a fake security alert for any domain.

Manuel Caballero, who maintains the Broken Browser blog, found that scammers could also customize the text for the fake alerts to lure unsuspecting users into calling tech support numbers. The call center operators, in fact, would trick the victims into shelling out large sums of fees.

Caballero noted that the malicious campaign is nothing new. However, he acknowledged that scammers are advancing their trick to fool more users. He wrote in a blog post:

“They render red warnings or BSODs with fake messages and sometimes they even throw blocking alerts to prevent users from going away. When a user closes the alert box a new one appears, ad infinitum.”

Flaw exists in Edge’s SmartScreen security feature

Caballero said the security bug exists in Edge’s SmartScreen security feature, adding that the flaw is unique only to Edge. SmartScreen works to detect drive-by downloads and phishing URLs so that it displays a security alert inside the browser window.

The warning messages reside in Edge’s installation protocols ms-appx: and ms-appx-web. Edge uses these protocols to show warning messages when the browser detects phishing or malware delivery sites.

The security researcher explained that the flaw could not only allow hackers to extract the protocols and customize the warning messages, but it also lets cyber crooks fake the URL in Edge’s address bar. Scammers could also append a hash and forge a technical support scam page so that the spoofing appears authentic. Likewise, unsuspecting users would think a website they visit is legitimate, when in fact it is being spoofed.

The vulnerability could serve as an effective tool for tech support scammers to mask their attack with a legitimate URL. Also, there’s currently no fix for the flaw, according to Caballero, who claimed Microsoft ignored his reports in the past.

Read also:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Discussions

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading