Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Warning: “Error: Ox800VDS” Microsoft Defender Pop-up Scam Targets Windows
Security researchers have identified a widespread tech support scam targeting Windows users through fake Microsoft Defender alerts displaying “Error: Ox800VDS” messages. This social engineering scheme attempts to trick victims into calling fraudulent support numbers, potentially leading to financial losses, data theft, and malware infections. Our analysis reveals how this increasingly common scam operates and what steps users can take to protect themselves.
Key Facts
- Threat Type: Tech Support Scam, Social Engineering
- Target Users: Windows PC owners
- Distribution Method: Compromised websites, malicious ads
- Impersonated Entity: Microsoft Defender, Microsoft Support
- Financial Damage: $200-600 per incident
- Data at Risk: Microsoft credentials, financial information, remote system access
- Threat Level: High
Threat Information
| Threat Type: | Technical support scam, phishing, social engineering |
| Affected Platforms: | Windows operating systems, primarily targeting Edge and Chrome browsers |
| Distribution Method: | Malicious websites, compromised websites, deceptive advertisements |
| Impersonated Service: | Microsoft Windows Defender, Microsoft Support |
| Data at Risk: | Microsoft credentials, banking information, remote access to device |
| Fake Support Numbers: | +1-855-904-3444, +1-855-200-1145, +1-866-808-0768, and others |
| Threat Level: | High |
Technical Indicators of Compromise (IoCs)
| IoC Type | Value | Notes |
|---|---|---|
| Phone Numbers | +1-855-904-3444, +1-855-200-1145, +1-866-808-0768 | Primary contact numbers displayed in scam popups |
| Domain Pattern | *-microsoft-support.*, *-windows-security.*, *-defender-alert.* | Common patterns in fraudulent domains |
| URL Pattern | /security/defender/alert/ox800vds/, /windows/error/0x800vds/ | Common URL paths in attack websites |
| JavaScript Indicators | window.addEventListener(“beforeunload”, preventClose); disableBackButton(); | Scripts used to prevent browser navigation away from scam page |
| Remote Access Tools | AnyDesk, TeamViewer, UltraViewer | Legitimate tools abused by scammers for remote access |
| Error Code | Ox800VDS | Distinctive fake error code not used by Microsoft |
How the “Error: Ox800VDS” Scam Works
This sophisticated tech support scam mimics Windows OS graphics and the Microsoft Defender interface to create a convincing illusion of a legitimate security alert. The attack progresses through several distinct stages:
| Attack Stage | Description | Technical Details |
|---|---|---|
| 1. Initial Access | Users encounter the scam when visiting compromised websites, clicking malicious advertisements, or being redirected through a chain of suspicious sites | Often uses iframe injection in legitimate but compromised sites, or malvertising campaigns |
| 2. Fake Scanning Animation | The scam page displays a convincing replication of the Microsoft Defender interface, complete with a fake scanning animation | Uses CSS animations and JavaScript setTimeout() to simulate scanning process |
| 3. Error Alert Display | Multiple pop-up windows appear with alarming messages, the primary one showing “Error: Ox800VDS” and claims about infected files | Uses window.alert() and custom modal dialogs with setTimeout() for sequencing |
| 4. System Lock Claim | A prominent pop-up states that the operating system has been locked due to “unusual activity” | Often implements browser fullscreen API requests and navigation interference |
| 5. Credential Harvesting | Users are urged to sign in with Microsoft credentials to “verify identity” and “unlock system” | Implements fake login forms with data exfiltration via XMLHttpRequest or fetch API |
| 6. Browser Manipulation | JavaScript techniques prevent users from closing the browser normally, creating a sense of panic | Uses onbeforeunload event handlers, history.pushState() for back button disabling |
| 7. Phone Call Pressure | Throughout these alerts, fake Microsoft support phone numbers are displayed with urgent instructions | Often displays countdown timers to create urgency using setInterval() |
Source: Analysis of “Error: Ox800VDS” tech support scam methodology, May 2025
What Happens When Users Call the Fake Support Numbers
When victims call the phone numbers displayed in the “Error: Ox800VDS” scam, they are connected with fraudulent “technicians” who deploy several deceptive tactics:
- False Identity: Scammers pose as “Microsoft Support representatives,” “Windows-certified technicians,” or similar trusted roles
- Exaggerated Threats: The “technicians” claim to detect numerous serious infections, hackers in the system, or imminent data loss to heighten fear
- Remote Access Request: Victims are instructed to download legitimate remote access software like TeamViewer, AnyDesk, or UltraViewer to let the scammer take control of their device
- Fake Evidence: Once they have remote access, scammers often run harmless system utilities like Event Viewer or Command Prompt and misrepresent normal system messages as evidence of serious problems
- Payment Demand: After creating sufficient panic, scammers request payment for their “services,” typically demanding amounts between $200-$600 for “removing infections” or “securing the system”
- Non-Traditional Payment Methods: Victims are directed to pay using difficult-to-trace methods such as gift cards, cryptocurrency, wire transfers, or prepaid cards
Many victims report that after paying once, they are often targeted repeatedly with additional “issues” requiring further payments.
Red Flags of the “Error: Ox800VDS” Scam
- Suspicious URL: The webpage’s address is not a legitimate Microsoft domain (microsoft.com)
- Browser Behavior: Multiple aggressive pop-ups that resist closing or attempt to prevent you from leaving the page
- Visual Inconsistencies: Despite attempts to mimic Windows, there are often subtle design differences from genuine Microsoft interfaces
- Spelling/Grammar Errors: Official Microsoft alerts would not contain spelling mistakes or awkward phrasing often present in these scams
- Alarming Language: Excessive use of urgent, threatening language with countdown timers or warnings about imminent system damage
- Support Phone Numbers: Microsoft never embeds technical support phone numbers in virus alerts or system error messages
- Requested Action: Legitimate Microsoft security alerts never ask you to call a phone number or enter credentials to “unlock” your system
The Real Dangers Behind the Scam
| Risk Type | Details | Severity |
|---|---|---|
| Financial Loss | Victims typically pay between $200-$600 for nonexistent problems, often multiple times through recurring scams | High |
| Identity Theft | Personal information and login credentials captured during the scam can be used for identity fraud or sold on dark web marketplaces | High |
| Account Compromise | Microsoft account credentials can be used to access email, OneDrive, purchase history, payment methods, and other sensitive information | High |
| Device Infection | While connected via remote access, scammers often install persistent backdoors, keyloggers, or other malware for continued access | Medium |
| Data Loss | Some victims report scammers threatening to delete files if payments aren’t made, or accidentally damaging systems during remote access | Medium |
| Secondary Scams | Initial victims are frequently added to “sucker lists” and targeted for additional scams | Medium |
Known Fake Support Numbers
| Fake Support Numbers | Status | First Reported |
|---|---|---|
| +1-855-904-3444 | Reported as Fraudulent | February 2025 |
| +1-855-200-1145 | Reported as Fraudulent | February 2025 |
| +1-866-808-0768 | Reported as Fraudulent | March 2025 |
| +1-844-200-3515 | Reported as Fraudulent | March 2025 |
| +1-833-590-8176 | Reported as Fraudulent | March 2025 |
| +1-866-797-9553 | Reported as Fraudulent | April 2025 |
| +1-866-790-8595 | Reported as Fraudulent | April 2025 |
| +1-855-399-1058 | Reported as Fraudulent | April 2025 |
| +1-866-993-8594 | Reported as Fraudulent | April 2025 |
| +1-888-842-0786 | Reported as Fraudulent | May 2025 |
Note that new numbers are constantly being created as older ones get reported and shut down. Any phone number presented in an error message should be treated with extreme caution.
How to Escape from the Scam Page
| Method | Procedure | Difficulty |
|---|---|---|
| Task Manager | Press Ctrl+Alt+Delete or Ctrl+Shift+Esc to open Task Manager, select your browser in the Processes tab, and click “End task” | Easy |
| Browser Session | When restarting your browser, decline to restore the previous browsing session to avoid reopening the scam page | Easy |
| Keyboard Shortcuts | Try Alt+F4 to close the current window or press Esc repeatedly to dismiss dialog boxes | Easy |
| Safe Mode | If the browser persistently reopens to the scam, restart your computer in Safe Mode to prevent automatic startup items | Medium |
| Browser Cache | Clear your browser cache, cookies, and browsing history to remove any persistence mechanisms | Medium |
Protection Strategies
- Browser Security Settings: Enable pop-up blockers and configure your browser’s security settings to warn about deceptive sites
- Use Reputable Security Software: Maintain comprehensive security protection with features that can block known malicious websites
- Verify All Security Alerts: If you see a security alert, verify it by manually opening your legitimate security software outside of the browser
- Understand Microsoft’s Practices: Microsoft never displays support phone numbers in error messages and will never proactively contact you about device infections
- Keep Software Updated: Ensure your operating system, browsers, and security software have the latest security patches
- Use Website Reputation Tools: Before visiting unfamiliar websites, use tools like GridinSoft’s Website Reputation Checker to verify the site’s safety rating
- Enable Two-Factor Authentication: Protect your Microsoft account and other important accounts with 2FA to prevent unauthorized access even if credentials are compromised
What to Do If You’ve Been Scammed
| Action | Details | Priority |
|---|---|---|
| Disconnect from internet | Temporarily disconnect your device to prevent further remote access or data exfiltration | Immediate |
| Remove Remote Access Software | Uninstall any remote access programs that were installed during the scam (TeamViewer, AnyDesk, UltraViewer, etc.) | Immediate |
| Change Passwords | Immediately change passwords for any accounts you logged into while the scammer had access, especially your Microsoft account | Immediate |
| Run Security Scan | Use reputable security software to scan your entire system for malware that may have been installed | High |
| Contact Financial Institutions | If you made any payments, contact your bank, credit card company, or payment service to report the fraud and attempt to reverse charges | High |
| Report Gift Card Scams | If you paid with gift cards, contact the gift card issuer immediately to report the fraud (though recovery is unlikely) | High |
| Report to Authorities | File a report with the Federal Trade Commission (FTC) and the Internet Crime Complaint Center (IC3) | Medium |
| Monitor for Identity Theft | Check your credit reports regularly and consider placing a credit freeze if you shared sensitive personal information | Medium |
Connection to Other Threats
| Related Threat | Connection | Article Link |
|---|---|---|
| FakeCaptcha URL Scam | Uses deceptive web interfaces to trick users into executing actions that benefit attackers | Read More |
| Fake File Converter Malware | Exploits a common user need to deliver malware or fraudulent services | Read More |
| Pornographic Virus Alert from Microsoft | Another common tech support scam that falsely claims system infection and requests phone calls | Read More |
Legitimate Microsoft Support Channels
| Resource Type | Official Source | URL/Access Method |
|---|---|---|
| Microsoft Support Website | Microsoft’s official support portal for all products | https://support.microsoft.com |
| Microsoft Community Forums | User and expert support community moderated by Microsoft | https://answers.microsoft.com |
| Windows Security App | Built-in security center for Windows 10/11 | Access directly through your Windows installation to check for legitimate threats |
| Get Help App | Native support application in Windows 10/11 | Available on Windows 10 and 11 systems to connect with official Microsoft support |
Remember that legitimate Microsoft support representatives will never cold-call you or prompt you to call them through browser pop-ups.
Conclusion
The “Error: Ox800VDS” tech support scam represents a sophisticated social engineering attack designed to exploit user trust in Microsoft branding and create panic through fake security alerts. By understanding how these scams operate and recognizing their warning signs, users can avoid falling victim to these deceptive tactics.
The most important defense against tech support scams is awareness. Remember that legitimate tech companies will never use browser pop-ups to warn about security issues or ask you to call a phone number to fix computer problems. If you encounter such messages, safely close your browser using Task Manager and report the scam to appropriate authorities.
As these scams continue to evolve, we’ll update our analysis and recommendations to help users stay protected against these increasingly convincing deceptions.
