It’s become a depressingly predictable feature of modern Internet browsing: You’re clicking on a Google link to a well-known site – and suddenly a message pops up, warning that your computer might be at risk and to call a number for “technical support.”
Regular ITBusiness.ca readers, of course, aren’t about to call one of those numbers, but Argentinian researcher Manuel Caballero has discovered how the legitimate Microsoft SmartScreen warning message displayed by Windows 10 browser Microsoft Edge could be used to deliver such a message simply by carefully crafting the right URL.
Here’s the default screen, triggered by accessing Microsoft Corp.’s own malware test page:
However, as Caballero noted, the URL at the top obviously doesn’t match the content being displayed, which led him to dig for – and, after some trial and error, discover – the actual URL for the warning page:
ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite.htm
As Caballero acknowledges, actually typing that URL into a browser will simply call up your default search engine. But getting around it involves only rudimentary coding, and reading Caballero’s sample changes, it’s easy to imagine how easily programmers could fool Edge into blocking a legitimate website.
Step one: simply replace the period in “.htm” with its ASCII code, 2E:
BlockSite%2Ehtm
Using the ASCII code instead of a punctuation mark allows programmers to append whatever hashtag and URL they want to the original link – something as innocuous as Facebook, for example:
window.open(“ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite%2ehtm”+
“#http://www.facebook.com”);
“So we can now open a very ugly webpage with a spoofed URL,” Caballero writes. “But BlockSite.htm is getting a couple of arguments (BlockedDomain and Host) from the location.search. Let’s use them!”
Which brings us to step two, where in the code below, Caballero defines “BlockedDomain” as “www.facebook.com” and “Host” as “Technical Support Really Super Legit CALL NOW” and “800-111-2222”:
window.open(“ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite%2ehtm?”+
“BlockedDomain=facebook.com&Host=Technical Support Really Super Legit CALL NOW\:”+
“800-111-2222#http://www.facebook.com”);
“As a bonus, when we place a telephone-like number, a link is automatically created so the user can call us with a single click,” Caballero notes. “Very convenient for these scammers.”
Over at Internet security firm Bitdefender’s news site, Hot for Security, contributor Graham Cluley connects the dots for readers, showing which parts of Caballero’s code would be displayed, and where.
“If a scammer was to exploit this bug they would be able to display native, legitimate-looking warning messages that would be more likely to trick unsuspecting computer users into believing their computer was at risk and making poor decisions,” Cluley writes.
See the results for yourself:
When contacted about the vulnerability, a Microsoft spokesperson told ITBusiness.ca in an email that “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”
“Our standard policy is to provide solutions via our current Update Tuesday schedule,” the spokesperson wrote.
Though BitDefender’s Cluley thinks it’s likely that Microsoft will fix this vulnerability in the future, it remains a potent illustration of the lengths technical support scammers can take when attempting to fool unsuspecting users – and while you might be too savvy to fall for their tricks, he notes, that doesn’t mean your friends, family, and colleagues are.