Off late there has been a spate of complaints from users informing us that they are being displayed a Windows support notification asking them to call a toll-free number to address a malicious Spyware /Riskware detected on their computer.
THIS IS A FAKE MICROSOFT WINDOWS SUPPORT SCAM. DO NOT CALL.
To date we know of a couple of ways you could infected.
1. Google Search
Apparently, scammers have managed to get through the various levels of Google Ad vetting, and managed to get Google Search to display their malicious ad. Scammers are targeting heavy volume sites such as Amazon. When you click on the ad for Amazon they redirect you to the website that displays this scam.
Typically, this ad does not infect your computer. However, we cannot say that it will not in the future.
What should you do if you get infected via Google search ?
- Leave that specific browser window alone. Best if you do not click on any browser window at all. Most importantly do not attempt to close the affected browser window, or click any button within that window.
- Close as many applications that you can close without touching that s affected browser window.
- If you can, then shutdown the computer from the start button. If Windows prompts you that some application is preventing a shut down, elect to Force Shutdown. If you cannot shutdown gracefully, just crash the computer by powering down the computer.
- When you turn on the computer again check the browser again. Do not search for Amazon in google and then click on it. Type amazon.com in the URL Bar.
To the best our knowledge it should not appear again. If it does come up again. Shut down your computer and inform Service.
In the future:
When you search for something in Google and both paid (identified by ad) and unpaid indexed results exist, elect to click on the unpaid indexed result.
2. Infected website
In this scenario, you browse to an infected website, the website first displays a page informing you that your computer is infected with the “Zeus Virus” and then redirects you to the fake Microsoft Support site. It additionally makes registry hacks to spoof the URL for a genuine secure Microsoft URL, even the SSL lock symbol is displayed. See image below the Secure site indicators are identified.
- It is not yet clear if the user clicked on something for the registry changes to take place.
- To date we do not have any reports of additional malicious software such as ransomware being installed.
What should you do if you get infected via an infected website ?
- Power down your computer forcefully by pressing the power button till it shuts down. You will use all unsaved work and your computer may become inoperable. Since it is unclear if user interaction is required to download the registry hack, nor do we know if anything more malicious is piggy backed on to the download, we believe this is the safest method.
- Restart the computer, Computer may warn you that the previous shut down was unexpected and provide you with multiple boot options. Select Boot normally.
- Do not open any other applications, just browse the internet to sites you normally go to as well as some other sites, such as google news etc.
- If infection remains , shutdown computer and inform Service