Full Report
Community Feature - @SteveD3There has been a noticeable uptick in the number of Fake Anti-Virus (Fake AV) phishing pages in Q1 2022. During his normal daily phishing scans, in the first quarter alone this year, Steve's collected more than 50 samples targeting users on Windows and Apple devices. As Q2 moves forward, that number has nearly doubled.https://steved3.io/data/Fake-Anti-Virus-Phishing/2022/03/07/Steve's post includes a number of IOCs and a running list of domains that are being leveraged in these campaigns. While active security industry pros can easily spot and avoid these scams, the issue is worth using in awareness campaigns, and spreading to those outside of security circles.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Incident Report: Spike in Fake AV Phishing Campaigns (Q1 2022)
## Executive Summary
During Q1 2022, threat intelligence monitoring revealed a significant uptick in the deployment of Fake Anti-Virus (Fake AV) phishing campaigns targeting both Windows and Apple users. While security professionals can typically identify these scams, the high volume of samples collected—with incidence rates nearly doubling into Q2—highlights a persistent risk to the general user base. The primary focus of the response involves increasing security awareness surrounding these social engineering attempts.
## Incident Details
- Discovery Date: Ongoing throughout Q1 2022 (Report published April 6, 2022)
- Incident Date: Q1 2022
- Affected Organization: Undisclosed (General User Base)
- Sector: N/A (Affects general consumers across sectors)
- Geography: Not specified, presumed global based on detection methodology.
## Timeline of Events
### Initial Access
- Date/Time: Q1 2022 (Ongoing activity)
- Vector: Phishing/Social Engineering via Fake AV alerts.
- Details: Attackers deployed numerous Fake AV phishing pages designed to trick users into believing their systems (Windows and Apple devices) are infected.
### Lateral Movement
- Not applicable. This attack type focuses on immediate user interaction (a click or input) rather than traditional network lateral movement.
### Data Exfiltration/Impact
- The primary impact is potential financial extortion (if users pay for fake remediation) or malware installation resulting from user interaction with the deceptive pages. Specific data exfiltration volume is unknown as this is a widespread threat trend report.
### Detection & Response
- Detection: Continuous, daily phishing scans conducted by security researcher SteveD3 detected over 50 unique samples in Q1 2022.
- Response Actions: The findings were compiled and shared publicly to prompt security awareness campaigns.
## Attack Methodology
- Initial Access: **Phishing/Social Engineering.** Use of highly deceptive Fake AV web pages.
- Persistence: Not applicable (campaign-based, relying on user action).
- Privilege Escalation: Not applicable (relies on user falling for the scam).
- Defense Evasion: Unknown, but likely relies on high social engineering effectiveness to bypass user caution.
- Credential Access: Potential, if users enter login details on subsequent malicious pages, though the main goal is likely direct payment or malware installation.
- Discovery: N/A (No mention of attacker reconnaissance).
- Lateral Movement: N/A.
- Collection: N/A (Focus is on prompt interaction).
- Exfiltration: Not the primary observable tactic; the immediate goal is user interaction/payment.
- Impact: End-user deception, potential financial loss, or secondary malware infection.
## Impact Assessment
- Financial: Potential direct financial loss for tricked end-users (payment for fake software).
- Data Breach: Potential exposure of credential or payment information if users input data on subsequent forms.
- Operational: Not reported as impacting organizations, but individual user devices are compromised or disturbed.
- Reputational: Minimal direct reputational impact on an organization unless a specific entity was impersonated extensively.
## Indicators of Compromise
- **Network indicators (defanged):** A running list of domains leveraged in the campaigns was collected by the researcher. (Specific domains/IPs withheld as they are actively used in ongoing campaigns).
- **File indicators:** Not specified in the summary.
- **Behavioral indicators:** Displaying highly realistic, urgent "Anti-Virus Alert" messages to trick users into clicking.
## Response Actions
- Containment: Not applicable at an organizational level; containment relies on user blocking/reporting malicious domains.
- Eradication: Not applicable.
- Recovery: Not applicable.
## Lessons Learned
- The high volume of successful Fake AV phishing pages demonstrates the continued, high-yield efficacy of established social engineering tactics against the general public on both major operating systems (Windows/Apple).
- Industry analysis tracking and sharing of IOCs (via community efforts) is crucial for early warning.
## Recommendations
- Deploy immediate, targeted security awareness training focused specifically on recognizing Fake AV alerts and browser-based security warnings across the user base.
- Ensure endpoint security solutions are configured to block known malicious domains associated with this threat actor type, using threat intelligence feeds where possible.