McAfee Fake Antivirus Phishing Campaign is Back!
Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?). The overall content of this email is simple and direct to the point and is similar to something Xavier posted earlier this year [1].
The email sound scary (infected with malware), however, a few clues from the email header, the sender is not McAfee, whatever they are asking me to do, indicate I'm the target of a phishing email and they likely want money.
The body of the email claims I'm already compromised and to resolve the issue is to first run a online scan against my host. I copied the hidden URL in CONTINUE and used wget to get a copy of the site. This is the step-by-step results:
And it found 35 harmful viruses on my computer.
Last, the results of the scan and what malware was found on the PC. The initial email claimed the computer was infected with 5 viruses, then 35 and at last after the final scan, there is only one.
What I found interesting, it didn't matter how many times I ran the scan, it always returned the same results (live scan and with the wget copy). Virustotal has very low detection and with 2 vendors identifying this as spam [2]. I got curious and lookup Tapsnake and it turned out it " is a scareware scam involving coercion to buy protection from a non-existent computer virus that has been distributed in various ways." [3] In the end, I never got a copy of McAfee antivirus.
One last thing, I checked the domain Whois information to see when this domain was registered or updated, this can often offer some clues if it is used for malicious purposes. Interesting enough, this domain was updated today. [4][5] Here is summary of the current listing:
Domain Name: collectyoursordersnow.com
Registry Domain ID: 2699308613_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2022-11-19T07:00:00Z
Creation Date: 2022-05-26T07:00:00Z
Registrar Registration Expiration Date: 2023-05-26T07:00:00Z
Registrar: NameSilo, LLC
Indicators
https://tuk-vi.collectyoursordersnow[.]com/ga/click/2-76430879-6226-10575-20591-16810-fe164f969b-e290af9b7f
[1] https://isc.sans.edu/diary/McAfee+Phishing+Campaign+with+a+Nice+Fake+Scan/28208
[2] https://www.virustotal.com/gui/url-analysis/u-d83f4cf7d6320d92e653e825e582cfbfc207949bada3e3913128eb6b56377ad3-1668896404
[3] https://en.wikipedia.org/wiki/Tapsnake
[4] https://whois.domaintools.com/collectyoursordersnow.com
[5] https://otx.alienvault.com/indicator/domain/collectyoursordersnow.com
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago