A recent Windows Security blog post from Microsoft revealed a new trick in a common form of internet scam: Fake tech support sites will now automatically launch a device’s phone dialer with a prompt to contact their “support team.”

Tech support scam websites, as Microsoft said in the post, used to rely on a loop of popups and browser lockups to fool users into thinking something was wrong. Most browsers now have the ability to prevent sites from creating more dialog windows, effectively stopping those kinds of attacks, so scammers have been forced to adapt.

This newly discovered scam has the potential to be devastating, especially as more people take to the internet to shop for the holidays. A single wrong click could have you paying for an expensive international call, or worse–it could have you falling for a scam that drains your bank account.

A simple script

Microsoft’s security team dissected the code used to cause the dialer popup, and it found a very simple piece of Javascript that doesn’t even contain the phone number–that’s specified by the scam site’s URL.

The simple, swappable nature of the script used to set up this new form of tech support scam points to it being a template. That means more and more sites using similar techniques are likely out there, or will be as the code continues to be sold on the black market.

SEE: Infographic: How to identify and avoid phishing attacks (TechRepublic)

Microsoft Security says it isn’t seeing a large number of these scams in the wild, which to it means the scam is new.

Tech support today, retail tomorrow?

Tricking computer users into calling tech support lines can be successful, but there are far more insidious uses for a scam template like this, especially near the holidays.

Phishing websites are nothing new, but if the average cybercriminal could convince you to call their “customer support” line while masquerading as the helpdesk for a legitimate retail website they could get you to fork over more than just your username and password.

Because this scam is so simple–copy the code, put a custom phone number into the URL, wait for victims to call–it could be repurposed for almost any kind of scam. It may have been tech support so far, but this is just one more reason to beware of legitimate-looking websites.

SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)

Microsoft’s biggest takeaway for users is that legitimate error messages don’t contain phone numbers, nor do legitimate support websites use frightening-looking messages to prompt users to call.

Want to be sure you don’t fall prey to a support line scam? Don’t click the number provided, and instead manually search for a support line from the company requesting your call, like Microsoft or Apple, so you can be sure you’re calling the real one.

The top three takeaways for TechRepublic readers:

  1. Microsoft has discovered a new form of tech support scam websites: They can now automatically open a dialer window with their phone number pre-populated.
  2. The code used to create this new form of support scam appears to be from a template, meaning it’s likely for sale somewhere on the black market. Watch out for the scam to spread, possibly from tech support to other industries like retail.
  3. Legitimate error messages don’t contain phone numbers. Never click on a dialer popup that you didn’t open yourself by tapping or clicking on a phone number.

Also see: