McAfee Fake Antivirus Phishing Campaign is Back!

Published: 2022-11-19
Last Updated: 2022-11-20 00:02:43 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?). The overall content of this email is simple and direct to the point and is similar to something Xavier posted earlier this year [1]. 


 

The email sound scary (infected with malware), however, a few clues from the email header, the sender is not McAfee, whatever they are asking me to do, indicate I'm the target of a phishing email and they likely want money. 



The body of the email claims I'm already compromised and to resolve the issue is to first run a online scan against my host. I copied the hidden URL in CONTINUE and used wget to get a copy of the site. This is the step-by-step results:

 

 

And it found 35 harmful viruses on my computer.


 

Last, the results of the scan and what malware was found on the PC. The initial email claimed the computer was infected with 5 viruses, then 35 and at last after the final scan, there is only one

 

 

What I found interesting, it didn't matter how many times I ran the scan, it always returned the same results (live scan and with the wget copy). Virustotal has very low detection and with 2 vendors identifying this as spam [2]. I got curious and lookup Tapsnake and it turned out it " is a scareware scam involving coercion to buy protection from a non-existent computer virus that has been distributed in various ways." [3] In the end, I never got a copy of McAfee antivirus.

 

One last thing, I checked the domain Whois information to see when this domain was registered or updated, this can often offer some clues if it is used for malicious purposes. Interesting enough, this domain was updated today. [4][5] Here is summary of the current listing:

 

Domain Name: collectyoursordersnow.com
Registry Domain ID: 2699308613_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2022-11-19T07:00:00Z
Creation Date: 2022-05-26T07:00:00Z
Registrar Registration Expiration Date: 2023-05-26T07:00:00Z
Registrar: NameSilo, LLC


Indicators

https://tuk-vi.collectyoursordersnow[.]com/ga/click/2-76430879-6226-10575-20591-16810-fe164f969b-e290af9b7f


[1] https://isc.sans.edu/diary/McAfee+Phishing+Campaign+with+a+Nice+Fake+Scan/28208
[2] https://www.virustotal.com/gui/url-analysis/u-d83f4cf7d6320d92e653e825e582cfbfc207949bada3e3913128eb6b56377ad3-1668896404
[3] https://en.wikipedia.org/wiki/Tapsnake
[4] https://whois.domaintools.com/collectyoursordersnow.com
[5] https://otx.alienvault.com/indicator/domain/collectyoursordersnow.com

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

1 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives