Fake warning asking users to call a tech support number

UPDATE [May 10, 2017]: Microsoft patched the issue, again, in the May 2017 Patch Tuesday, but Caballero found another way to bypass the patch, hours later.

UPDATE [March 21, 2017]: Microsoft patched the issue discovered by Caballero in this month's (March 2017) Patch Tuesday. Nonetheless, the researcher says the patch is incomplete, and the issue is still exploitable. Original article below.

Manuel Caballero, the Web security expert behind the Broken Browser blog, has discovered that Microsoft Edge, the default web browser included with Windows 10, is affected by a vulnerability that allows a third-party to show fake warning messages for any online domain, such as Google, Facebook, or the other reputable brands.

Furthermore, crooks can also show custom text with these fake warnings, encouraging the victim to call tech support numbers where call center operators could trick them into paying unnecessary fees.

Caballero has even put together a demo page where anyone can generate their own fake warning message by entering the domain of their choice and the custom "tech support warning."

Bug found in Edge's SmartScreen security feature

According to Caballero, who described the vulnerability's technical ins and outs on his blog, this bug only affects Edge users.

The abused feature is SmartScreen, which ironically is one of Edge's most potent security features.

Microsoft says that SmartScreen can pick-up drive-by downloads and phishing URLs and show a warning inside the browser window, just like Google's Safe Browsing service.

In Edge, these "warning messages" are stored as assets inside the browser's installation folder.

Scammers can also spoof the browser's address bar

Caballero not only discovered a way to pull these assets and customize the domain and text that appears inside the warnings, but he also found a way to spoof the URL shown in the browser's address bar, so users think they're on the real domain.

This kind of bug is very valuable for tech support scammers, who can hide their malicious campaigns right behind an authentic URL.

This bug is currently unpatched. Caballero says that he reported several bugs to Microsoft in the past, but because the company has ignored some of his submissions, he did not report this one.

"I don't care what they say anymore," Caballero said on Twitter. "I post publicly so people can judge better."