Malicious push notifications: Is that a real or fake Windows Defender update?
You’re on PC, and suddenly a pop-up ad appears in the system tray informing you of a Windows Defender Update. Be careful — it might be push notification malware meant to trick you into installing malicious Windows apps.
According to McAfee, threat actors are increasingly abusing push notifications to impersonate legitimate Windows alerts. Clicking on the alert redirects users to a fake Windows update website telling them their antivirus subscription has expired and that McAfee has detected various threats on their system. This message deceives the user into downloading the fake update, which can harvest system and user information.
Phishing simulations & training
Fake Windows Defender update: Why it’s easy to fall for
McAfee researchers stated that browser push notifications could closely resemble Windows system updates. Attackers are hacking into pop-up notifications and planting fake ones that disguise themselves by leveraging the McAfee logo and name. The pop-ups are purported to inform users about Windows Defender Update and take them to a fake website.
The fake website then presents a “signed MSIX (ms-appinstaller)” package. Downloading and running this file brings up a prompt asking for the installation of a Defender Update from a supposed “Publisher: Microsoft.” Once done, the malicious Defender Update app appears in the start menu alongside other Windows applications.
Rather than redirecting to a legitimate update, the Defender Update shortcut tricks the user into unintentionally downloading a data-stealing trojan capable of targeting various types of information and apps.
With this social engineering tactic, “remove ads” and other notification buttons redirect the user to the publisher’s selected destination instead of anything that would let you disable the pop-up. Also, most destination web pages themselves encourage users to allow more alerts. If done, this could result in a scenario where users are flooded with tons of messages frequently, making it difficult to distinguish legitimate messages from fake ones.
But what’s more concerning is that users ignore any security warnings or pop-ups if they consider a file legitimate. They can spend time monitoring the victim’s organization for the information or deploy ransomware. In some cases, they will even disable their antivirus to facilitate its installation. Once that’s done, scammers and criminals have access to do as they please.
Defender update malware’s capabilities
The fake Defender update can steal varying types of system information. This can include serial numbers, process lists, RAM, graphics card and drive details. The malware can also access application profile data from Ethereum wallets, Exodus wallets, Chrome, Telegram and Opera Desktops. User data such as credit cards are also at risk.
While hackers continue to send out emails for phishing campaigns, they’re increasingly exploring other attack vectors like Windows Push Notifications in a bid to avoid detection and install malware on the user’s computer. Such attacks rely on the user’s complacency and trust to work. And by replicating the exact fonts, style, and logos used by legitimate system pop-up notifications, they’re able to trick unsuspecting users into ignoring system warnings for something that seems familiar.
How to protect yourself from malicious push notifications
McAfee researchers gave safety tips to protect against the push notification hack. They also stated that people using Real Protect Cloud from McAfee were safe from this threat courtesy of machine learning. They recommend utilizing McAfee Web Control and McAfee Web Advisor, both of which protect from known malicious websites.
Researchers also urge companies to educate personnel to carefully evaluate prompts and only give authorization on trusted web pages. Plus, for Windows Updates, employees should conduct a manual check by entering in a web address themselves or through the start menu instead of clicking any URL they receive. And because Windows-related prompts can be quite convincing, it’s better to disable them and check for updates yourself.
Here’s how to disable notifications in web browsers:
Safari:
Click Safari at the top left corner of the screen and choose Preferences.
Go to the Websites section, then click the Notifications option on the left pane.
Look for suspicious URLs and select the Deny option for each you want to block
Chrome:
- Click the three dots (Menu button) at the top right corner of the screen.
- Choose Settings, then scroll to the bottom and select Advanced.
- Now go to the Privacy and Security section and click Content settings > Notifications.
- Click the three dots at the right of each suspicious link and select Block or Remove. (Choosing Remove may lead the site asking you to enable prompts again.)
Firefox:
- Click the three bars (Menu button) at the top right corner of the screen.
- Choose Options and click the Privacy & Security option in the left-hand toolbar.
- Go to the Permissions section and click Settings next to Notifications.
- In the window that opens, locate all suspicious links and choose Block from the drop-down menu.
Internet Explorer:
- Open the IE browser and click the Gear button at the top right corner of the screen.
- Select Internet options. Next, choose the Privacy tab and click Settings in the Pop-up Blocker section.
- Choose the suspicious links and remove them one by one by clicking the Remove option.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Dealing with pop-up scams
The fake Windows Defender update is just one case of pop-up spam. With hackers leveraging new attack vectors to gain access to people’s computers, we expect more legitimate push notifications to be abused in the foreseeable future. The good news is you can implement the strategies we’ve listed in this post to protect your system and data from data-stealing malware.
Sources
- How to Stop the Popups, McAfee Labs
- Scareware - Don't Be Scared Right into a Scam, What Is My IP Address