Malicious push notifications: Is that a real or fake Windows Defender update?
You’re on PC, and suddenly a pop-up ad appears in the system tray informing you of a Windows Defender Update. Be careful — it might be push notification malware meant to trick you into installing malicious Windows apps.
According to McAfee, threat actors are increasingly abusing push notifications to impersonate legitimate Windows alerts. Clicking on the alert redirects users to a fake Windows update website telling them their antivirus subscription has expired and that McAfee has detected various threats on their system. This message deceives the user into downloading the fake update, which can harvest system and user information.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Fake Windows Defender update: Why it’s easy to fall for
McAfee researchers stated that browser push notifications could closely resemble Windows system updates. Attackers are hacking into pop-up notifications and planting fake ones that disguise themselves by leveraging the McAfee logo and name. The pop-ups are purported to inform users about Windows Defender Update and take them to a fake website.
The fake website then presents a “signed MSIX (ms-appinstaller)” package. Downloading and running this file brings up a prompt asking for the installation of a Defender Update from a supposed “Publisher: Microsoft.” Once done, the malicious Defender Update app appears in the start menu alongside other Windows applications.
Rather than redirecting to a legitimate update, the Defender Update shortcut tricks the user into unintentionally downloading a data-stealing trojan capable of targeting various types of information and apps.
With this social engineering tactic, “remove ads” and other notification buttons redirect the user to the publisher’s selected destination instead of anything that would let you disable the pop-up. Also, most destination web pages themselves encourage users to allow more alerts. If done, this could result in a scenario where users are flooded with tons of messages frequently, making it difficult to distinguish legitimate messages from fake ones.
But what’s more concerning is that users ignore any security warnings or pop-ups if they consider a file legitimate. They can spend time monitoring the victim’s organization for the information or deploy ransomware. In some cases, they will even disable their antivirus to facilitate its installation. Once that’s done, scammers and criminals have access to do as they please.
Defender update malware’s capabilities
The fake Defender update can steal varying types of system information. This can include serial numbers, process lists, RAM, graphics card and drive details. The malware can also access application profile data from Ethereum wallets, Exodus wallets, Chrome, Telegram and Opera Desktops. User data such as credit cards are also at risk.
While hackers continue to send out emails for phishing campaigns, they’re increasingly exploring other attack vectors like Windows Push Notifications in a bid to avoid detection and install malware on the user’s computer. Such attacks rely on the user’s complacency and trust to work. And by replicating the exact fonts, style, and logos used by legitimate system pop-up notifications, they’re able to trick unsuspecting users into ignoring system warnings for something that seems familiar.
How to protect yourself from malicious push notifications
McAfee researchers gave safety tips to protect against the push notification hack. They also stated that people using Real Protect Cloud from McAfee were safe from this threat courtesy of machine learning. They recommend utilizing McAfee Web Control and McAfee Web Advisor, both of which protect from known malicious websites.
Researchers also urge companies to educate personnel to carefully evaluate prompts and only give authorization on trusted web pages. Plus, for Windows Updates, employees should conduct a manual check by entering in a web address themselves or through the start menu instead of clicking any URL they receive. And because Windows-related prompts can be quite convincing, it’s better to disable them and check for updates yourself.
Here’s how to disable notifications in web browsers:
Safari:
Click Safari at the top left corner of the screen and choose Preferences.
Go to the Websites section, then click the Notifications option on the left pane.
Look for suspicious URLs and select the Deny option for each you want to block
Chrome:
- Click the three dots (Menu button) at the top right corner of the screen.
- Choose Settings, then scroll to the bottom and select Advanced.
- Now go to the Privacy and Security section and click Content settings > Notifications.
- Click the three dots at the right of each suspicious link and select Block or Remove. (Choosing Remove may lead the site asking you to enable prompts again.)
Firefox:
- Click the three bars (Menu button) at the top right corner of the screen.
- Choose Options and click the Privacy & Security option in the left-hand toolbar.
- Go to the Permissions section and click Settings next to Notifications.
- In the window that opens, locate all suspicious links and choose Block from the drop-down menu.
Internet Explorer:
- Open the IE browser and click the Gear button at the top right corner of the screen.
- Select Internet options. Next, choose the Privacy tab and click Settings in the Pop-up Blocker section.
- Choose the suspicious links and remove them one by one by clicking the Remove option.
See Infosec IQ in action
Dealing with pop-up scams
The fake Windows Defender update is just one case of pop-up spam. With hackers leveraging new attack vectors to gain access to people’s computers, we expect more legitimate push notifications to be abused in the foreseeable future. The good news is you can implement the strategies we’ve listed in this post to protect your system and data from data-stealing malware.
Sources
- How to Stop the Popups, McAfee Labs
- Scareware - Don't Be Scared Right into a Scam, What Is My IP Address
In this Series
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness