Scammers Impersonating Windows Defender to Push Malicious Windows Apps | McAfee Blogs

Scammers Impersonating Windows Defender to Push Malicious Windows Apps | McAfee Blogs

Summary points:

Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts
Recent campaigns pose as a Windows Defender Update
Victims end up allowing the installation of a malicious Windows Application that targets user and system information

Browser push notifications can highly resemble Windows system notifications.  As recently discussed, scammers are abusing push notifications to trick users into taking action.  This recent example demonstrates the social engineering tactics used to trick users into installing a fake Windows Defender update.  A toaster popup in the tray informs the user of a Windows Defender Update.

Clicking the message takes the user to a fake update website.

The site serves a signed ms-appinstaller (MSIX) package.  When downloaded and run, the user is prompted to install a supposed Defender Update from “Publisher: Microsoft”

After installation, the “Defender Update” App appears in the start menu like other Windows Apps.

The shortcut points to the installed malware: C:Program FilesWindowsApps245d1cf3-25fc-4ce1-9a58-7cd13f94923a_1.0.0.0_neutral__7afzw0tp1da5eloomEversible.exe, which is a data stealing trojan, targeting various applications and information:

System information (Process list, Drive details, Serial number, RAM, Graphics card details)
Application profile data (Chrome, Exodus wallet, Ethereum wallet, Opera, Telegram Desktop)
User data (Credit card, FileZilla)

Am I protected?

McAfee customers utilizing Real Protect Cloud were proactively protected from this threat due to machine learning.
McAfee customers utilizing web protection (including McAfee Web Advisor and McAfee Web Control) are protected from known malicious sites.
McAfee Global Threat Intelligence (GTI) provides protection at Very Low sensitivity

General safe ..

Support the originator by clicking the read the rest link below.