New (to me, anyway) & "Real Looking" Windows Defender Scam Malware

[britechguy]

Received an email from a client a very short while ago with this screenshot, taken using her phone. Thank heaven she just stopped, dead, and did nothing other than take that photo and e-mail asking about it.



One of the most authentic looking versions of this kind of scam I've yet to run across. I gave her the step-by-step instructions for restarting and kicking off an immediate offline scan with the real Windows Defender, which I have every reason to believe will detect and remove this. Also told her if it shows up again we need to use a different malware removal tool.

 

[Porthos]

which I have every reason to believe will detect and remove this. Also told her if it shows up again we need to use a different malware removal tool.

There is nothing to remove. It is a malvertising. An ad on whatever site triggered this.
If the user was using Ublock Origin and Malwarebytes Browser guard in the browser, this most likely would not have happened.

 

[britechguy]

OK.

I typically install Ublock Origin on all browsers, so she may have gotten another one. This is a client for whom I had to do a nuke & pave some months back, so I was surprised to see this, as I don't tend to hand back a fresh machine that I've not already put "the usual shields" in place on.

Followed up with the client letting her know this. Also suggested that she might consider using Brave or Vivaldi in addition to adding uBlock Origin to any other browsers she might be using.

I've come to love both Brave and Vivaldi because they have, built-in, the functionality of uBlock Origin (or most of it, anyway) and tend to prevent this stuff with no action at all needed by the end user. I love uBlock Origin, though, and use it in Firefox, Edge, and Chrome.

 

[Porthos]

This is a client for whom I had to do a nuke & pave some months back, so I was surprised to see this, as I don't tend to hand back a fresh machine that I've not already put "the usual shields" in place on.

I see this when users create new browser profiles, reset to defaults in browsers or create new user accounts in Windows.
I also do not use the default lists in Ublock.

 

[britechguy]

@Porthos

One of my favorite observations, and it applies to computer end users of virtually all stripes: Nothing can be made foolproof because fools are just too damned ingenious!

 

[timeshifter]

I also do not use the default lists in Ublock.

What do you use?

 

[Markverhyden]

Received an email from a client a very short while ago with this screenshot, taken using her phone. Thank heaven she just stopped, dead, and did nothing other than take that photo and e-mail asking about it.

View attachment 13635

One of the most authentic looking versions of this kind of scam I've yet to run across. I gave her the step-by-step instructions for restarting and kicking off an immediate offline scan with the real Windows Defender, which I have every reason to believe will detect and remove this. Also told her if it shows up again we need to use a different malware removal tool.

I've had several customers report almost the exact same thing. I think the number was an 855 number. From what I can tell it came from poisoned links on legit pages.

 

[Porthos]

What do you use?

Compare these items to the default list.
but keep in mind Malwarebytes Browser Guard is also installed on all browsers.

 

[britechguy]

And for those who may not know of or have the default lists in use, here's a screenshot of those:



I don't believe I've ever customized these under Edge, and that's where the screenshot above comes from.

 

[frase]

Yes I had about six of these last week, advised clients to at the time before I could go over and make sure everything is fine to block future popups.

End your browser Sequence
------------------------------
Press Ctrl+ALT+DELETE in unison on Keyboard
Open Task Manager
END TASK of your Browser, ie Chrome etc.

Doing so gave me time to organise, and clients system wont be compromised; or more so their bank accounts.

 

[GTP]

I love uBlock Origin, though, and use it in...

....LibreWolf. (the portable version, on my own PC's both Linux and Windows) along with Decentraleyes, UnTrackMe, Emsisoft Browser Security, uBlock Origin, WebRTC Control, HTTPS Everywhere (with "Encrypt All Sites Eligible" on), and "Opt-Out" For Google Analytics.
I used to use Stop Autoplay Next for Youtube. But now that I use FreeTube, (portable version) it's already built in.

I stopped using Opera (after about 20 years as my browser of choice) because of recent security concerns.
Opera allowed using host files which I thought was a great idea.

I try to refrain from using any ad blocking on client machines because they really don't understand.
I get too many calls about "cant see this or that" and trying to educate them is a nightmare mostly.

 

[britechguy]

I try to refrain from using any ad blocking on client machines because they really don't understand.
I get too many calls about "cant see this or that" and trying to educate them is a nightmare mostly.

With some clients, I tell them that security focused browsers will, occasionally "behave badly" and block you from specific sites. I then tell them to use Microsoft Edge (or some other browser I have intentionally left "unguarded") on those rare occasions where this proves necessary.

Others, who I fear will just start using the unguarded browser because of the rare odd annoyance get told nothing. I virtually never hear from them, either. And I definitely don't hear from them about stuff just like what caused me to start this topic. I'm actually kinda proud that I have not seen something like this (malvertising) in so long, on any of my own machines nor those of the vast majority of my clients, that I didn't recognize exactly what it was. The goal is to keep this s*it from ever appearing in the first place since, if there is any reacting in response to it other than calling me, all is already lost.

 

[seashore]

When I put Malwarebytes Premium on customer machines I've been leaving out the browser guard to avoid the support calls re some sites not playing ball. Would these scam sites still be stopped? Would be nice to have a sample URL so I could do some testing.

 

[Porthos]

Would these scam sites still be stopped?

With Malwarebytes premium alone, probably not. That is why browser Guard is pushed so hard by MB as part of total protection.
The issue is the AD's. No AD's no malvertising.

Would be nice to have a sample URL

Those scam pages do not live long in most cases.

I've been leaving out the browser guard to avoid the support calls re some sites not playing

I have had no issues with my own browsing and just a couple of clients say they could not access a legit site.

 

[Philippe]

trying to educate them is a nightmare mostly

With ublock origin it's only 3 clicks to deactivate / activate
& this: ++

I then tell them to use Microsoft Edge (or some other browser I have intentionally left "unguarded")

 

[Porthos]

With ublock origin it's only 3 clicks to deactivate / activate

It is 2 clicks. once on the browser icon if already visible. I make them visible on setup.
and one to disable.

 

[Archon Prime]

I have a policy in place for all my MSP clients for Edge and Chrome. uBlock Origin and Emsisoft Browser security. Works perfect for crap like this.

 

[Philippe]

It is 2 clicks. once on the browser icon if already visible. I make them visible on setup.
and one to disable.

3 clicks if you refresh the (non-working) page