Such sites are a part of a huge network of “fake tech support” web pages. They pretend to be official Microsoft sites, notifying people about “severe malware infections” present in the system. In fact, all that is happening is one big fiction. In this article, I explain how these sites operate, why they open in your browser, and how to stop that for good.

What is Ads(exe).finacetrack(2).dll?

Ads(exe).finacetrack(2).dll is a detection name for an alleged malicious program running in the system. It appears on a fake Microsoft website, at least its authors tried to make it look like one. On the top layer banner that says the system is blocked for security reasons. That exact banner also contains the phone number of a “tech support” that the one should call to fix the issue.

The website itself is designed in a rather specific way. Once the user who gets to this site clicks on any of its elements, it will scale to full screen, and start playing a scary voice message:

Following that switch, any of the keyboard combinations stop working (yes, even Alt+F4 and Ctrl+Alt+Del). The reason for this is the internal mechanisms of the site that intercept these combos before the system can handle them. As a result, the user feels trapped inside, with no way out other than following the guidance from the banner.

Still, there is a simple trick to get out of such a scam site. If you click Esc button several times, your browser will show you a pop-up window saying to hold down Esc to get out of full screen mode. That is different from a singular click on the button, and is probably yet another trick from the website. And that is it – hold it down, and then just close the window with the malicious website as you usually do.

How does this scam work?

Fake tech supports scam, including the Ads(exe).finacetrack(2).dll, operate in several steps. They need to get the user to a scam page, make them follow the instructions and force them to allow the support to do their “job”. The latter typically results in the installation of unwanted programs, often so-called scareware. Let’s get through each of these steps.

Beginning

Initially, scammers need to make the user open the scam website. As these pages typically sit on some obscure URL, it is not an option to hope for any organic traffic to come by. What they do instead is buying redirect link placement on shady websites with content that, in turn, attracts a lot of users. Sites with pirated films, dodgy online dating services, resources that offer cheats for popular games or shady hacking activities – such places never disdain an illegal source of profit. Any click on any content on these sites may redirect the user to a tech support scam page. Though, other scams appear on such sites as well, so it is a bad idea to keep using them.

Culmination

After the user gets to the website, its inner mechanisms of the Ads(exe).finacetrack(2).dll site lock them on the page. Blocking any visible way out makes it particularly difficult for the user to avoid panicking, especially for someone with less computer skills. As a result, the only option that appears viable is to call the “support” by the specified number.

The Finale

In the final stage, on the call with the fake tech support manager, the victim gets the instructions to install a remote access tool, usually a TeamViewer. After that, the fraudster on the phone instructs to give them access to the system. Upon taking control of the victim’s machine, the scammer typically downloads a bunch of unwanted applications. Fake browser security apps, questionable antivirus software no one ever heard about, driver updating utilities – plenty of them.

Such applications will further spam the user, reminding them about the “dangerous viruses” and asking to buy a license. Sure enough, it is nowhere near as dangerous as malware, but still quite annoying and can easily lead to money loss. Also, since such apps are not tested properly, some of their actions can make the system malfunction.

How to Avoid the Ads(exe).finacetrack(2).dll scam?

As such scams typically propagate through sites with shady content – pirated movies and programs, dating or adult websites, the best way to prevent fake support scams from appearing will be to avoid such sites in future. Overall, their content is illegal and unhealthy; they typically have massive amounts of ads that can expose the visitor to even more dangers. If you are not sure whether the site is safe to use, check it with our free online URL scanner service.

Another part of the advice is to have a clear understanding of how Windows operates in general. Microsoft never blocks someone’s system, and never displays any notifications in the browser. Even if there is malware running in the computer, you will only get a message from Microsoft Defender, and that is it. Any attempt to look like a genuine Microsoft website, especially with such an obscure URL, is a giant red flag.

Finally, I will advise you to run a proper anti-malware application, like GridinSoft Anti-Malware. It will reliably protect you against malicious programs, and will also block any malicious sites, thanks to its Online Protection feature.

The post Ads(exe).finacetrack(2).dll Virus Explained appeared first on Gridinsoft Blog.

Fake Microsoft support is a rather popular fraudulent scheme, where victims are lured into a phone call with a scammer by the means of social engineering. Successful attack results in compromising users’ privacy, installation of unwanted apps or even malware. In this post, I will explain how to avoid such sites in the future. Also, you will see all the social engineering tricks that the frauds use to force the user into this trap.

Virus Alert (05261)

Virus Alert (05261) is the title of a banner you can encounter on a scam website. It tries to copy the appearance of a genuine Microsoft Office 365 page, but also adds several banners on top of the background. This banner says about your system being “locked due to unusual activity. Error Ox800xdfy”. Below, there is a pitiful infographic showing critical troubles like “browser cookies”, “slow startup apps” and “registry entries”. Lower, under the “Fix issues”, there is a phone number, that the user should allegedly call to solve the issue.

Typically for such scam websites, it plays a scary sound alert, and switches to full-screen mode after a click on the website. It does not matter where exactly the click has happened – the website will intercept it either way and go fullscreen. The latter may happen randomly, and with the fullscreen, all things start looking like the system is really locked. This is, in fact, a starting point of the scam.

Key target of the Virus Alert (05261) scam site is to make the user call the helpline phone, listed at the bottom part of both banners. This number leads to the fake Microsoft tech support – a part of a rather popular scam network that attacked users from Europe and both Americas. Even though the FBI once disrupted a large part of that network, it keeps rolling at the same scale.

“Virus Alert (05261)” Overview

The content in “Virus Alert (05261)” scam pop-up:

Virus Alert (05261) !!
Microsoft Windows locked due to unusual activity. Error: 0x800xdfy
Security
Networks are safe
Virus free
14 outdated apps
Privacy
19 privacy settings to fix
434 browser cookies
Performance
10.4 GB to free up
21 slow startup apps
377 registry entries
Fix Issues Show details

Your system has been reported to be infected with Trojan-type spyware.
For assistance, contact Microsoft Support
+1-844-216-9800 (Helpline)

Fake Microsoft Tech Support Scam Risks

Upon calling the said number, the user will face a pseudo-support manager that will continue convincing the user about their PC being full of problems. Bugs, outdated software, lack of free space, or malware – they can choose almost any pressure point. While on the line, the user gets the instructions to download TeamViewer, UltraViewer, or another remote connection tool, and grant the scammers access to the device. After that, they are free to do anything with the device: access sensitive data, download or upload files, and even read messages.

But what that connection is used for is the installation of unwanted applications, presented as a “professional PC help”. The latter is of a specific kind: usually, they offer “system cleaners”, “PC speed-up utilities” or things like that. Either way, this software will once again show you a myriad of problems, only to ask you to pay for solving them. As you may have guessed, all the troubles are one big mystification.

Social Engineering Tricks and Mistakes of “Virus Alert (05261)” Scam

Now, let’s talk about methods that con actors use to make the scam work. The main thing that allows for all this to happen is users’ low awareness about malware, PC issues, and how Microsoft handles them. A tech giant from Redmond physically cannot reach out to every single user who has a problem. For malware-related issues, they have Microsoft Defender – an antivirus that is built into every Windows installation. However, privacy issues, outdated apps, and performance issues are not in their scope. Therefore, the existence of such websites is a scam alert by itself.

The Banner on the top layer of the page contains a bunch of technical terms, which have low to no correlation nonetheless. It says about systems being locked, creating fear, shows error codes and “scan results”, making the page look like some genuine Microsoft alert.

Aforementioned full-screen mode and a scary beeper sound add even more intimidation to the page. One careless click on the page – and the victim feels trapped inside. Combine it with a sound alert repeating lines about the PC being locked and all the data being in danger – and you just got the handbook definition of fear mongering. That adds just another layer of fear, making the user even more malleable for further demands.

So, in summary, things that scams ride on are fear of technologies, fear of being hacked, and low level of PC knowledge. One can’t help but notice the skillful application of social engineering – frauds really put effort into making it. It’s a good thing they’ve decided to put almost no effort in the rest of the elements of the scam.

Mistakes and More Nonsense

Even having just a tiny bit of computer skills and knowledge puts the majority of contents of the scam website in question. First is the error code displayed on top of the “main” banner – Ox800xdfy. Aside from the fact that this code does not exist – why would the unusual activity ever lead to an error code? And why does it start with “O”, the letter, instead of 0 (zero)?

The deeper a tech savvy person gets into the site, the more questions will surface. It lists outdated apps as a problem – fair enough, but how could the website know the apps are out of date? Why won’t Microsoft just show a notification in the Settings app? Same story is about privacy settings to fix. And those were the only things that somewhat correspond to the “virus alert” title.

Other points of the banner say about “browser cookies”, “space to free up”, “slow startup apps” and “registry entries”. This, in turn, is not even remotely close to the claimed virus problems or unusual activity. And for any tech savvy person, each of these claims are just ridiculous, and look like a set of randomly picked names of system elements. Once again, fraudsters did not put a lot of effort into creating a trustworthy look for the scam page, sticking to buzzwords instead.

Where did it appear from?

There are several ways for the Virus Alert (05261) scam to appear in the browser. All of them, however, hint at the unwanted activity that is happening in the system.

First and the most widespread one is the redirection from a dodgy website. Pages with pirated games, programs or movies often have the redirect links injected into buttons on the website. Typically, site masters choose popular ones, like “download” or “play”. The scam page will open shall the user click on the link (which they definitely will).

Another reason is the pop-up ads from a different scam site. There is a whole category of browser infections that parasite on push notification functionality of modern browsers. It is not hard for the user to get into one, and after that, they start receiving dozens of pop-up notifications. Clicking on one typically throws the person to a scam page, with the subject of this article being among them.

Third, but still a highly possible occasion, is the malware activity. Akin to push ads that I’ve just described, adware and browser hijackers can open random websites in the browser. As a result, the user gets exposed to a whole bunch of different scam pages. This is actually more dangerous than the other situations, as the actual malware may collect a lot of user information.

How to protect against online scams?

Despite how different they are, it is rather easy to secure yourself against the majority of online scams. One key rule is staying critical about what you see. If it is too good to be true (awards from Google for being a billionth user) or telling nonsense (like Virus Alert (05261)), they should not be taken for granted. Never call the number such websites say to call and never share your personal information with them – that will be enough to mimimize the potential damage.

Aside from your own attention, a reliable anti-malware software will come in handy. GridinSoft Anti-Malware comes with a network protection system that will intercept and block the malicious website before it can do any harm. And it is effective against regular malware, too, so your device will have excellent protection from all malware injection vectors.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Virus Alert (05261) Scam appeared first on Gridinsoft Blog.

The Phantom Hacker Scams

The FBI has warned the public about a recent increase in phantom hacker scams nationwide. This fraudulent activity mainly targets senior citizens and is an evolved version of tech support fraud. Back in August 2023, losses from such scams have increased by 40% compared to the same period in 2022. For specific numbers, during the first half of 2023, nearly 19,000 individuals reported falling victim to tech support scams, resulting in over $542 million in losses.

According to the statistics, scammers often target older adults. Around 66% of total financial losses are suffered by victims over 60. Seniors usually have much more savings than younger age groups, making them more attractive targets for criminals. Additionally, older adults are more mindful of potential life-saving risks, making them vulnerable to calculated scams.

How Do These Scams Work?

The scam process is divided into three stages, each aiming to increase the victim’s level of trust. The perpetrators behind phantom hacker scams employ social engineering to deceive their victims.

1. Initial Contact. Fraudsters pose as computer technicians from well-known companies. They convince victims that their computers have serious issues, particularly malware, and that their financial accounts are also at risk due to foreign hackers.

2. Follow-Up. Accomplices then impersonate officials from financial institutions or even the U.S. government. They persuade victims to transfer their money from supposedly vulnerable accounts to new “safe” accounts, all under the guise of government protection of their assets.

3. The Deception. Obviously, there was never any foreign hacker. Instead of safe accounts, the scammers now fully control the victims’ money. The funds vanish together with the “technicians” and “govt agents”, leaving victims devastated.

Safety Recommendations

To summarize, it is worth remembering the rules of telephone communication again. Here is a list of “Don’ts” that you should follow to minimize the risk of financial loss:

• Don’t Trust Unsolicited Calls. Be cautious when receiving an unexpected call claiming to be from tech support or a financial institution. Scammers often impersonate legitimate organizations to gain your trust. To protect yourself, please end the call without providing any personal details. Additionally, consider setting up a blocker for such calls.
• Don’t Share Personal Information. Never share sensitive information when you receive a phone call unless you initiate the call. Sensitive information includes your credit card information, bank account number, social security number, or passwords. Before sharing any sensitive information, verify the identity of the person independently.
• Don’t Rush Decisions. Scammers often use urgency to pressure victims into making hasty decisions, resulting in funds being transferred without understanding the situation. Take your time. Ask questions, seek advice from trusted sources, and don’t let anyone rush you into making financial commitments.
• Don’t Transfer Funds. Proceed cautiously if someone asks you to transfer money based on an unsolicited request. Contact your financial institution directly using official contact information to confirm the transaction.
• Instruct Your Elderly About the Threats. Aside from showing more trust towards strangers, older generations often struggle to find security news in time. Consider explaining the dangers and the ways to understand they’re talking to a fraudulent person.

The post Phantom Hacker Scams On The Rise, Target Elderly appeared first on Gridinsoft Blog.

What is Windows Defender Security Warning?

Fake Windows Defender Security Warning (Microsoft Security Warning) is a malicious attempt to deceive users into believing their system is compromised or at risk. In reality, these warnings are part of a scam. Cybercriminals create deceptive pop-up notifications or messages that mimic the appearance and language of genuine Windows Defender alerts. These counterfeit warnings often use scare tactics.

Usually, such sites claim the presence of malware, viruses, or security breaches on the user’s system. They aim to trick users into taking immediate, unwarranted actions. It can be clicking on malicious links, downloading fraudulent software, or providing sensitive information like login credentials or credit card details.

What makes these fake warnings even more convincing is the abuse of Microsoft Azure services. In short, Microsoft Azure is a reputable cloud computing platform that provides tools and services for legitimate purposes, including hosting websites and applications. However, cybercriminals exploit Azure’s flexibility to host their malicious landing pages and phishing sites, thereby lending an air of legitimacy to their schemes.

By leveraging Azure, scammers can secure SSL certificates and create deceptive subdomains, making their fake security warnings appear more convincing. They use Azure to build seemingly genuine login forms and landing pages, often targeting users with Microsoft, Office 365, Outlook, or OneDrive accounts.

How Does This Scam Work?

There are two most common scenarios for this kind of scam, and we’re going to look at them now.

Fake Login Page

In the first common scenario, attackers launch spam email campaigns that appear to originate from a reputable organization. For example, these scammers do their best to trap victims by mimicking the official login pages for Microsoft, Office 365, Outlook, and OneDrive. More often than not, these pages are indistinguishable from the real thing. For example, they may have a Microsoft logo, the correct color schemes, and even a nearly identical URL. Many users may genuinely believe they are on a legitimate Microsoft page.

To make their attacks even more convincing, attackers use Transport Layer Security (TLS) certificates. These certificates encrypt data between a user and a website and often serve as an indicator of trust. In this case, the certificates issued by Microsoft Azure TLS Issuing CA 05 for the *.1.azurestaticapps.net domain make the fake pages indistinguishable from the real ones. Attackers go even further to make their phishing pages attractive to attack users of other platforms such as Rackspace, AOL, Yahoo, and other email services. In this case, the spoofing becomes particularly camouflaged thanks to legitimate Microsoft security certificates.

When users are trying to determine if a phishing attack is targeting them, they are usually advised to carefully check the URL in the browser bar when prompted to enter credentials. However, in the case of phishing campaigns abusing Azure Static Web Apps, this advice is meaningless, as the azurestaticapps.net subdomain and the presence of a valid TLS security certificate will fool many users.

Tech Support Scam

Fake Microsoft Technical Support Scam – involves a scheme in which attackers impersonate Microsoft representatives or certified technicians. Usually, this scheme starts with a phishing site that contains a fake Microsoft Security Warning. This leads to the victim calling the scammers, hoping to get help solving the “problem”. They may use a variety of techniques to gain the attention and trust of potential victims. But, sometimes, scammers call random users and claim that the user’s computer has serious problems, viruses, or security breaches and offer to help resolve them.

To “help” users, scammers may ask permission to control the computer remotely. If the user agrees, attackers gain full access to the system and can install malware or steal personal data. In addition, scammers often ask the user to provide personal information such as credit card numbers, passwords, addresses, and other sensitive information.

How To Avoid These Scams?

To avoid falling victim to phishing scams like the ones abusing Azure Static Web Apps, it’s essential to follow the next practices for online security and remain vigilant. Here are some steps you can take to protect yourself:

• Check URLs before entering data. You should check the URL in the address bar when you’re asked to enter your account credentials on a login page. Look for any unusual subdomains or misspellings that could indicate a phishing site. Ensure that the domain is the official one for the service you’re using.
• Be careful with suspicious emails. Please don’t click on links or download attachments from unsolicited or unexpected emails. Always verify the legitimacy of an email, even if it appears to come from a trusted source.
• Verify the Source. When you receive an email requesting sensitive information or actions, contact the supposed sender directly through official channels to verify the request’s authenticity.
• Use a Password Manager. Thus, you can create strong, unique passwords for your online accounts. This prevents a single compromised password from affecting multiple accounts.
• Enable Two-Factor Authentication. Whenever possible, enable 2FA for your online accounts. This adds another layer of security and requires a second form of verification, such as a temporary code sent to your phone.
• Educate Yourself. It is crucial to keep yourself updated on the latest phishing techniques and common scam tactics to stay informed and protected. Be vigilant and cautious while browsing the internet or dealing with suspicious emails or messages. The more you know, the better you can protect yourself.
• Use Security Software. We recommend installing reputable anti-malware solutions on your devices. It can help detect and block malicious websites and emails.
• Keep Software Updated. Keep your operating system, web browsers, and security software up-to-date. This ensures that any known vulnerabilities are fixed.

By following these precautions and maintaining a healthy level of skepticism, you can significantly reduce the risk of falling victim to phishing scams. Cybercriminals continuously adapt their tactics, so staying vigilant is essential to your online security.

The post What is Microsoft Security Warning Scam? appeared first on Gridinsoft Blog.

Fake Amazon and Microsoft call centers busted

Indian authorities, in collaboration with Amazon and Microsoft, conducted Operation Chakra-II to crackdown on 76 illegal call centers across at least 11 states in India. These call centers posed as tech support for Amazon and Microsoft customers and defrauded over 2,000 individuals. This marks the first time two major companies have collaborated to combat online and tech support fraud. The Central Bureau of Investigation of India (CBI) led the Chakra-II operation.

On the other hand, Amazon said this:

Country-level scam

Perhaps almost every user has seen the “Hello Your Computer Has Virus” meme or jokes about Indian men calling people and introducing themselves as Microsoft tech support. So, India is a fertile ground for a thriving network of scammers. The Hindu tech support scam can be considered a worthy competitor to the Nigerian Prince scam. Primarily, scammers run illegal operations from call centers masquerading as legitimate businesses.

According to the FBI, tech support call centers fraud victims lost more than $1 billion in the US last year, with scammers mainly targeting older people. Nearly half of the victims were over 60, and they accounted for 69%, or more than $724 million, of the losses. Many of these scams target customers of Amazon and Microsoft, two of the largest companies in the tech industry. Unsurprisingly, these companies have banded together for the first time to fight against these scams.

How did this scam work?

The Central Bureau of Investigation (CBI) recently revealed that fraudsters have been pretending to be Amazon and Microsoft customer service agents. They have been contacting victims through online pop-up messages that appear to be real security alerts from these companies. The pop-up message claims that the user’s computer is experiencing technical issues and provides a toll-free number to contact customer support. However, the phone number actually belongs to the fraudsters’ electronic call centers. By the way, we have an article dedicated to breaking down this scam scheme.

Once the victim calls scammers, they, with some trickery, remotely access the victim’s computer and show them fake problems. They then charge the victim hundreds of dollars for fake solutions that were not needed in the first place. This fraudulent activity has allegedly been going on for the past five years. The fraudsters use various international payment gateways and channels to move the illegally obtained funds.

CBI exposes fake call centers

As part of five separate cases, a nationwide crackdown was conducted in Delhi, Punjab, Haryana, Himachal Pradesh, Uttar Pradesh, Madhya Pradesh, Karnataka, Kerala, Tamil Nadu, and West Bengal, which resulted in the confiscation of 32 mobile phones, 48 laptops/hard disks, 33 SIM cards, and pen drives. The operation also seized numerous bank accounts alongside 15 email accounts that were associated with the scammer network.

While the CBI did not disclose the number of arrests made during the operation, it was revealed that the illegal call centers had targeted more than 2,000 Amazon and Microsoft customers. The victims primarily reside in the US, Australia, Canada, Germany, Spain, and the UK. Amazon also confirmed that it had removed over 20,000 phishing websites and 10,000 phone numbers from impersonation schemes in 2022. The company reported hundreds of attackers worldwide to authorities.

Is it the end of Amazon/Microsoft Tech Support scams?

Not really. Frauds like that are exceptionally profitable, so there will always be a temptation to restart it. Sure, current con actors are detained, but nature abhors a vacuum. Where one group of crooks is no more – another will pop up rather quickly.

Though, the impunity myth these guys were bearing on is now busted. Further scams will be either more concealed, distributed, and/or reliant on less traceable technologies. Will they be more effective with all these upgrades? This is what we are about to discover.

The post Fake Amazon and Microsoft Tech Support call centers busted appeared first on Gridinsoft Blog.