Cyble-Windows-Defender-Scam

Massive Tech Support Scam Exposed

Fake Windows Defender Alerts weaponized to target users

A tech support scam is an extensive fraud where the scammer offers a support service for any legitimate entity and lures the victim into contacting the scammer via a fake support helpline number. After contacting the helpline, the scammer gains access to the victim’s machine and can perform activities such as fraudulent transactions, stealing sensitive data, etc.

Recently, Cyble Research & Intelligence Labs (CRIL) identified a new ongoing tech support scam where the Threat Actor has developed various phishing websites that pretend to be Microsoft support sites that show a fake Windows defender alert.

We have observed over 50 phishing sites related to this scam since September 2022, and the related IP 68.178.145[.]199 is located in India. In the past, a study related to the scam found that 85% of IPs involved in tech support scams were located in India.

We believe the user may have received this phishing URL via email or SMS, similar to other tech support scams. When users visit this phishing site hxxp://7878winsupportonline[.]xyz, it opens various popups warning them that their computer has been locked and alerts users by playing an audio “important security message” until the user closes the fake website.

After opening the phishing site, it displays the “Quick Scan” pop-up and a fake scan stating that it has detected threats on the victim’s machine, as shown in the image below

Figure 1 – Fake quick scan popup

The phishing site also shows the fake Threat Scan result with the detection name, type of malware, object type, and location. The TA shows these fake results to victims to make them believe their machine has been compromised by multiple threats.

Figure 2 – Threat Scan result on phishing site

Further, the phishing site displays a pop-up window that states that the victim’s computer has been blocked due to illegal activity. Additionally, the site notifies victims that their computers have been infected with the Trojan spyware and sensitive data such as email credentials, banking passwords, Facebook login, pictures & documents have been compromised.

Figure 3 – Displaying fake alert window

To unlock the device and prevent identity theft, the phishing site advise the user to call a support technician and shows a “Windows Defender Security Center” pop-up that contains a support contact number, as shown below.

Figure 4 – Phishing site displaying the support contact number

Additionally, CRIL observed the tech support scam targeting iPhone devices as well. The phishing site hxxp://0044winsupportonline[.]xyz pretends to be an official Apple support website and shows the message that the device has been locked due to illegal activity. To unlock the device, the victim needs to contact the customer support number mentioned on the phishing site.

Figure 5 – Phishing site pretending to be an official Apple support website

After contacting the scammers, they gain access to the victim’s system using any third-party remote desktop application. They can then perform several activities, including performing fraudulent transactions and installing other malware such as RATs, stealers, or other unwanted programs that can steal sensitive data from the victim’s machine.

 Conclusion

Scammers are constantly developing new strategies and different campaigns to target potential victims. Our research indicates that scammers involved in tech support scams leverage the legitimacy of reputable firms such as Microsoft to lure their victims into calling what they believe is a customer support helpline. The scammers can then further steal sensitive data from the victim’s machine.

Typically, Windows Defender will only alert users via the installed Windows Defender application and not via a web browser.

Cyble Research & Intelligence Labs constantly monitors active phishing campaigns and keeps our readers updated with our latest findings about phishing and other types of data-stealing attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
hxxp://0088winsupportonline[.]xyz/URLPhishing site
hxxp://0077winsupportonline[.]xyz/URLPhishing site
hxxp://0066winsupportonline[.]xyz/URLPhishing site
hxxp://0022winsupportonline[.]xyz/URLPhishing site
hxxps://4545winsupportonlinehelp[.]xyz/URLPhishing site
hxxp://0044winsupportonline[.]xyz/URLPhishing site
hxxp://7878winsupportonline[.]xyz/URLPhishing site
hxxp://8080winsupportonlinee[.]xyz/URLPhishing site
hxxp://7373winsupportonline[.]xyz/URLPhishing site
hxxp://3333winsupoortonlineget3333[.]xyzURLPhishing site
hxxp://7272winsupportonline[.]xyz/URLPhishing site
hxxps://7676winsupportonline[.]xyz/URLPhishing site
hxxp://7070winsupportonline[.]xyz/URLPhishing site
hxxp://7676winsupportonline[.]xyz/URLPhishing site
hxxps://7474winsupportonline[.]xyz/URLPhishing site
hxxps://6161winsupportonline[.]xyz/URLPhishing site
hxxp://6363winsupportonline[.]xyz/URLPhishing site
hxxp://6161winsupportonline[.]xyz/URLPhishing site
hxxp://7575winsupportonline[.]xyzURLPhishing site
hxxp://7474winsupportonline[.]xyzURLPhishing site
hxxps://5959winsupportonline[.]xyz/URLPhishing site
hxxp://6464winsupportonline[.]xyzURLPhishing site
hxxp://5555winsuppottonline[.]xyz/URLPhishing site
hxxp://5656winsuppottonline[.]xyz/URLPhishing site
hxxp://3434winsupoortonlineget3434[.]xyzURLPhishing site
hxxp://6262winsupportonline[.]xyz/URLPhishing site
hxxp://5151winsupportonlineget[.]xyz/URLPhishing site
hxxp://5353winsupportonlineget[.]xyz/URLPhishing site
hxxp://5858winsupportonline[.]xyz/URLPhishing site
hxxp://5050winsupportoninehelp[.]xyz/URLPhishing site
hxxp://5454winsuppottonline[.]xyz/URLPhishing site
hxxp://4949winsupportoninehelp[.]xyz/URLPhishing site
hxxp://5252winsupportonlineget[.]xyz/URLPhishing site
hxxp://4848winsupportonlineherk[.]xyzURLPhishing site
hxxp://4444winsupportonlinehelp[.]xyzURLPhishing site
hxxp://4646winsupportonlinehelp[.]xyz/URLPhishing site
hxxp://4747winsupportonlineherk[.]xyzURLPhishing site
hxxp://4242iossupportonlineios4242[.]xyzURLPhishing site
hxxp://4343iossupportonlineios4343[.]xyzURLPhishing site
hxxp://4040iossupportonlineios4040[.]xyz/URLPhishing site
hxxps://3030winsupportonline3030[.]xyz/URLPhishing site
hxxp://2929ioshelponlineios2929[.]xyz/URLPhishing site
hxxp://3232winsupportolnlineghets3232[.]xyzURLPhishing site
hxxp://3131winsupportolnlineghets3131[.]xyzURLPhishing site
hxxp://2727iossupportonlingegetios2727[.]xyzURLPhishing site
hxxp://2424ioshelponlinehekowios2424[.]xyzURLPhishing site
hxxp://9winsuuportoiblineghswin9[.]xyzURLPhishing site
hxxp://10winsuuportoiblineghswin10[.]xyzURLPhishing site
hxxp://9winsuuportoiblineghswin9[.]xyz/URLPhishing site
hxxp://8winsupportinonwgrtw8[.]xyz/URLPhishing site
hxxp://2ioshelotheisbsheibsios2[.]xyzURLPhishing site
hxxp://3iosheloproducttuoebsusios3[.]xyz/URLPhishing site
68.178.145[.]199URLIP address

 

Scroll to Top