Scammer’s dream: researcher finds vulnerabilities in Microsoft Edge browser

Online security and software’s resistance to hacking has always been one of the main priorities to the software’s developers. The need of sophisticated protection has increased drastically as the programming practices have become available to anyone, including the evil-minded parties as well. Today, the hackers may target practically anything — from the home appliances connected to the web via IoT,^[1] smart cars to large companies and their computer networks. Nevertheless, the primary focus of various scammers and online criminals are, of course, our personal computers. It is no secret that the biggest flow of such attacks reaches Windows operating systems.^[2] Being completely aware of this situation, Microsoft programming team has already issued a number of major updates for the Windows operating system and even released a new browser, promising the users the most reliable and secure service to this day. Unfortunately, a recent discovery made by an Argentinian security researcher Manuel Caballero has exposed a major flaw^[3] in the Microsoft Edge browser which may potentially be used to utilize some unlawful activities.

Dubbed by the researcher as a “scammer’s dream,” this Microsoft Edge bug is mainly related to the shortcomings of the SmartScreen functionality. Essentially, SmartScreen^[4] is an anti-phishing and anti-malware filter that, apart from Edge, is also built into the Internet Explorer and Outlook.com. This filter embedded in Windows versions 8 and 10 serves the purpose of protecting the user against drive-by downloads and other potentially dangerous content that might be promoted on the blacklisted websites. The automatic URL filtering allows the SmartScreen to block potentially dangerous sites and send the user back to the trusted domains safely. Nevertheless, Caballero has spotted that the text shown in these SmartScreen warning screens is modifiable. This means that if this functionality gets in the hands of some fraudulent third-parties, it may be altered to serve malicious purposes, for instance, to get users involved in Tech Support Scams. It turns out that such alterations are quite simple since the original warning messages are stored in the browser’s installation folder and can be modified there. So, instead of receiving the regular “This website has been reported as unsafe” message, you may suddenly start seeing alerts like “Your computer may be at risk” or “For emergency tech support call immediately^[5], accompanied by suspicious phone numbers. More importantly, using another vulnerability in the Edge code the scammers may also change the browser’s URL (also known as “URL spoofing”), making these errors seem as if they are occurring on completely legitimate websites, such as Facebook, Youtube or Google. Social engineering tricks and threats of private data leakage or destruction used in these bogus warnings only push the unsuspecting victims to give in to this trickery.

Caballero claims to have addressed Microsoft with this issue a couple of times, but the company still hasn’t patched the bug or issued any official statement informing the users about the potential danger. We can only hope that this issue will be fixed in the near future. In the meantime, stay vigilant, learn to recognize Tech Support Scams and avoid them.