At first it appears that the user was redirected to a Microsoft support web page, but upon exiting full-screen mode, it becomes clear the user never left the scam site. Image courtesy of Microsoft.
At first it appears that the user was redirected to a Microsoft support web page, but upon exiting full-screen mode, it becomes clear the user never left the scam site. Image courtesy of Microsoft.

A new tech support scam website leverages deceptive visual elements to trick victims into thinking they have been redirected to a legitimate Microsoft support website, even though they actually never left the scam page.

The website, to which targets are redirected via malvertising, uses a script from the Techbrolo malware family to pull off the scam, according to a Microsoft Malware Protection Center blog post. Once the page loads, victims receive both an audio alert and a pop-up message that says their computer has been locked due to a virus infection, with a fraudulent technical support number they can call for help.

Clicking "OK" on the message opens what appears to be a second pop-up, as if the user is stuck in a never-ending dialogue loop (a common tech support scam tactic), but in this case the unwanted dialogue box is actually just a web element built into the page. Clicking "OK" on this element places users in full-screen mode and introduces yet another web element, designed to look like users have been redirected to the Chrome browser's version of the Microsoft support page. But it is actually still the scam site, despite what appears to be an address bar that reads "support.microsoft.com/ru-ru/en".

Indeed, exiting full-screen mode reveals real address bar, which contains a malicious URL. "As this newly discovered support scam website shows, scammers are always on the lookout for opportunities to improve their tools," the Microsoft blog post reads. "They can get really creative, motivated by the possibility of avoiding security solutions and ultimately increasing the chances of you falling for their trap."