Microsoft Edge's malware alerts can be faked, researcher says

Fiddle with a URL and you can pop up and tell users to do anything

3 Reg comments Got Tips?

Technical support scammers have new bait with the discovery that Microsoft's Edge browser can be abused to display native and legitimate-looking warning messages.

The flaws exist in Microsoft's Edge protocols ms-appx: and ms-appx-web: which the browser uses to present warning messages when phishing or malware delivery sites are located.

When Edge detects suspected Malicious sites it colours them red with a feature called "SmartScreen."

Buenos Aires security tester Manuel Caballero says scammers can create warnings that replace SmartScreen text and phone numbers indicating that a nominated site also displayed in the address bar is infected.

"When we place a telephone-like number a link is automatically created so the user can call us with a single click - very convenient for these scammers," Caballero says.

By altering URL characters and appending a hash and a URL of a legitimate-looking site, a technical support scam page can be forged that is much more convincing than the deluge of fake Android and blue screen of death pages common to torrent sites.

window.open("ms-appx-web://microsoft.microsoftedge/assets/errorpages/BlockSite%2ehtm?"+ "BlockedDomain=facebook.com&Host=Technical Support Really Super Legit CALL NOW\:"+ "800-111-2222#http://www.facebook.com");

Caballero found some of the Edge assets could be loaded directly through the address bar, albeit with errors, such as ms-appx-web://microsoft.microsoftedge/assets/errorpages/PhishSiteEdge.htm, while others would fail and perform a Bing search on the URL instead.

The Edge proof-of-concept.

Those errors could be avoided by changing a single character in URL, and the displayed address changed to a legitimate site by appending a hash. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020