Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering

Windows Push Notifications Used for Fraud

McAfee: Attackers Install Malicious Apps to Harvest Data
Windows Push Notifications Used for Fraud
Fake update notifications download malware. (Source: McAfee)

Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts as a first step toward installing malicious Windows applications to harvest user and system information, according to a global report by McAfee.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

"Browser push notifications can highly resemble Windows system notifications," the report states. "Scammers are abusing push notifications to trick users into taking action."

In the report, researchers describe the social engineering tactics used to trick victims into installing a fake Windows Defender update.

Rather than sending out emails for a phishing campaign, attackers hack into pop-up notifications and use a fake one that disguises itself by using the McAfee name and logo to inform the victim about what is opurpirted to be a Windows Defender Update. Clicking on the message leads to various fake websites informing the victim their McAfee antivirus subscription has expired and that McAfee has detected threats on their system. Or the message provides what purports to be a direct link to purchase a McAfee subscription, according to the report.

In this scam, Remove Ads and similar notification buttons "typically lead to the publisher’s chosen destination rather than anything that would help the user in disabling the popups. Also note that many of the destination sites themselves prompt the user to allow more notifications. This can have a cascading effect where the user is soon flooded with many messages on a regular basis," Craig Schmugar, senior principal engineer at McAfee, wrote in a blog post.

The installed malware is capable of stealing system information. This can include process lists, drive details, serial numbers, RAM and graphics card details. It can also access application profile data, such as Chrome, Exodus wallets, Ethereum wallets, Opera and Telegram Desktops, and user data, such as credit cards.

"While email phishing remains the most favored attack vector by criminals, they are increasingly branching out to other avenues, such as social media, through apps and now Windows Push Notifications, all in the hope that users will click and install malware,” says Javvad Malik, security awareness advocate at KnowBe4.

Far-Reaching Implications

"The implications of this are far-reaching," Malik says of the attack technique leveraging Windows Push Notifications. "If users believe a file is legitimate, they will often ignore any security warnings or popups. In some cases, they will even disable security software to facilitate the download. Once that is done, the criminals and scammers have access to do whatever they want - whether that be to deploy ransomware or spend time moving within the victim's organization for other objectives."

A fake website serves a signed ms-appinstaller (MSIX) package. When the file is downloaded and run, the user is prompted to install a supposed Defender Update from 'Publisher: Microsoft.' After installation, the 'Defender Update' application appears in the start menu like other Windows Apps," the researchers note.

Instead of going to a real update, clicking on the shortcut for the “Defender Update” application tricks the victim into inadvertently downloading a data-stealing Trojan, which can target various applications and information.

Mitigating Risks

The researchers urge organizations to educate staff to carefully read authorization prompts and only click "allow" on trusted sites. They also recommend notification prompts be disabled.

"Scams can be quite convincing. It’s better to be quick to block something and slow to allow than the opposite. When in doubt, initiate the communication yourself," Schmugar notes.

He further recommends that, for Windows Updates, staff should perform a manual check for updates through the start menu or manually enter in a web address rather than clicking any link they receive.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.