Fake Anti-Virus Pages Used in Phishing Attack

A new type of phishing attack deception technique has been observed where malicious actors style webpages to present themselves as an anti-virus company.

Threat ID:: CC-1809
Category:
Threat Severity:: Low
Threat Vector:
Published:: 23 November 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new type of phishing attack deception technique has been observed where malicious actors style webpages to present themselves as an anti-virus company.

Threat details

Copying legitimate websites gives users confidence in the webpage increasing the chances of extorting credentials from the user. Once a user’s credentials are stolen, it is then possible that a attacker could use this information to conduct subsequent social engineering attacks, such as emailing the user, purporting to be from the anti-virus company, and responding to the queries the user has left. This help can establish a sense of trust between the user and what they think is a representative of a legitimate anti-virus company. Once a sense of trust has been established, the threat actor is almost certain to ask the user to provide their password. This opens up the possibility of a password reuse attack, selling the account on dark or deep web forums or configuring the user’s anti-virus software to facilitate further attacks.

While a unique aspect of this type of phishing is the apparent legitimacy of the site, one sign of suspicion can be the absence of a security certificate.

The fake pages identified (listed below) do not have certificates and should raise concern if you are being prompted to enter credentials.

Remediation steps

Type	Step
	Employee cyber security training should include certificate warnings and the risks of phishing emails. A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged.

Type

Step

Employee cyber security training should include certificate warnings and the risks of phishing emails.
A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.

Last edited: 17 February 2020 11:30 am