Ways to Tell if a Website Is Fake

Unfortunately in today’s world, scammers are coming at us from all angles to trick us to get us to part with our hard-earned money. We all need to be vigilant in protecting ourselves online. If you aren’t paying attention, even if you know what to look for, they can get you. There are numerous ways to detect fake sites or emails, phishing, and other scams.

Before we delve into the signs of fake websites, we will first take a closer look at the common types of scam that use websites, what happens when you accidentally access a fake website, and what you can do in case you unknowingly purchased items from it.

What are fake or scam websites?

Fake or scam websites are fraudulent sites that look legitimate while secretly attempting to steal your personal information, money, or account access.

These deceptive platforms masquerade as trustworthy businesses or organizations, sending urgent messages such as popular shopping websites offering fantastic limited-time deals, banking websites requesting immediate account verification, government portals claiming you owe taxes or are eligible for refunds, and shipping companies asking for delivery fees.

The urgency aims to trick you into logging in and sharing sensitive details—credit card numbers, Social Security information, login credentials, and personal data. Once you submit your data, the scammers will steal your identity, drain your accounts, or sell your details to other criminals on the dark web.

These scam websites have become increasingly prevalent because they’re relatively inexpensive to create and can reach millions of potential victims quickly through email and text campaigns, social media ads, and search engine manipulation.

Cybersecurity researchers and consumer protection agencies discover these fraudulent sites through various methods, including monitoring suspicious domain registrations, analyzing reported phishing attempts, and tracking unusual web traffic patterns. According to the FBI’s Internet Crime Complaint Center, losses from cyber-enabled fraud amounted to $13.7 billion, with fake websites representing a significant portion of these losses.

Consequences of visiting a fake website

Visiting a fake website, accidentally or intentionally, can expose you to several serious security risks that can impact your digital life and financial well-being:

• Credential theft: Scammers can capture your login information through fake login pages that look identical to legitimate sites. Once they have your username and password, they can access your real accounts and steal personal information or money.
• Credit card fraud: When you enter your bank or credit card details on fraudulent shopping or fake service portals, scammers can use your payment information for unauthorized purchases or sell these to other criminals on the dark web.
• Malware infection: Malicious downloads, infected ads, or drive-by downloads may happen automatically when you visit certain fake sites. These, in turn, can steal personal files, monitor your activity, or give criminals remote access to your device.
• Identity theft: Fake sites can collect personal information like Social Security numbers, addresses, or birthdates through fraudulent forms or surveys.
• Account takeovers: Criminals can use stolen credentials to access your email, banking, or social media accounts, potentially locking you out and using your accounts for further scams.

Common types of scam websites

Scammers use different tricks to make fake websites look real, but most of them fall into familiar patterns. Knowing the main types of scam sites helps you recognize danger faster. This section lists the most common categories of scam websites, how they work, and the red flags that give them away before they can steal your information or money.

• Fake shopping stores: These fraudulent e-commerce sites steal your money and personal information without delivering products. They offer unrealistic discounts (70%+ off), have no customer service contact information, or accept payments only through wire transfers or gift cards. These sites often use stolen product images and fake customer reviews to appear legitimate.
• Phishing login pages: These sites mimic legitimate services such as banks, email providers, or social media platforms to harvest your credentials. Their URLs that don’t match the official domain, such as “bankofamerica-security.com” instead of “bankofamerica.com” Their urgent messages claim your account will be suspended unless you log in immediately.
• Tech support scam sites: These fake websites claim to detect computer problems and offer remote assistance for a fee. They begin with a pop-up ad with a loud alarm to warn you about viruses, provide you with phone numbers to call “immediately,” or request remote desktop access from unsolicited contacts.
• Investment and crypto sites: These sites guarantee incredible returns on cryptocurrency or investment opportunities, feature fake celebrity endorsements, or pressure you to invest quickly before a “limited-time opportunity” expires.
• Giveaway and lottery pages: You receive notifications with a link to a page that claims you’ve won prizes In contests you never entered, but require upfront fees or personal information to receive them. They will request bank account details to “process your winnings” or upfront processing fees.
• Shipping and parcel update portals: These usually come in the form of tracking pages that mimic delivery services such as USPS, UPS, or FedEx to steal personal information or payment details. The pages ask for immediate payment to release and deliver the packages, or for login credentials to accounts you don’t have with that carrier.
• Malware download pages: These ill-intentioned sites offer “free” but uncertified software, games, or media files that contain harmful code to infect your device once you click on the prominent “Download” button.
• Advance fee and loan scams: These sites guarantee approved loans or financial services regardless of your credit score. But first you will have to post an upfront payment or processing fees before any actual assistance is rendered.

Understanding these common scam types helps you recognize fake sites before they can steal your information or money. When in doubt, verify legitimacy by visiting official websites directly through bookmarks or search engines rather than clicking suspicious links.

For the latest warnings and protection guidance, check resources from the Federal Trade Commission and the FBI’s Internet Crime Complaint Center.

Recognize a fake site

You can protect yourself by learning to recognize the warning signs of fake sites. By understanding what these scams look like and how they operate, you’ll be better equipped to shop, bank, and browse online with confidence. Remember, legitimate companies will never pressure you to provide sensitive information through unsolicited emails or urgent pop-up messages.

1. Mismatched domain name and brand: The website URL doesn’t match the company name they claim to represent, like “amazoon-deals.com” instead of “amazon.com.” Scammers use similar-looking domains to trick you into thinking you’re on a legitimate site.
2. Spelling mistakes and poor grammar: Legitimate businesses invest in professionally created content to ensure clean and error-free writing or graphics. If you are on a site with multiple typos, awkward phrasing, or grammatical errors, these indicate that it was hastily created and not thoroughly reviewed like authentic websites.
3. Missing or invalid security certificate: The site lacks “https://” in the URL or shows security warnings in your browser. Without proper encryption, any information you enter can be intercepted by criminals.
4. Fantastic deals: Look out for prices that are dramatically low—like designer items at 90% off or electronics at impossibly low costs. Scammers use unrealistic bargains to lure victims into providing payment information.
5. High-pressure countdown timers: The site displays urgent messages such as “Only 2 left!” or countdown clocks with limited-time offers that reset when you refresh the page. These fake urgency tactics push you to make hasty decisions without proper research.
6. No physical address, contact information, legitimate business details: The site provides only an email address or contact form. In the same vein, any email address they provide may look strange like northbank@hotmail.com. Any legitimate business will not be using a public email account such as Hotmail, Gmail, or Yahoo.
7. Missing or vague return policy: Legitimate businesses want satisfied customers and provide clear policies for returns and exchanges. Scams, however, cannot provide clear refund policies, return instructions, or customer service information.
8. Stolen or low-quality images: Scammers often steal images from legitimate sites without permission, making their product photos look pixelated, watermarked, or inconsistent in style and quality.
9. Fake or generic reviews: Authentic reviews include specific details and a mix of ratings and comments. On fake websites, however, customer reviews are overly positive with generic language, posted on the same dates, or contain similar phrasing patterns.
10. Limited payment options: Legitimate businesses offer secure payment options with buyer protection. Fake websites, however, only accept wire transfers, cryptocurrency, gift cards, or other non-reversible or untraceable payment methods.
11. Recently registered domain: The website was created very recently—often just days or weeks ago, whereas established businesses typically have older, stable web presences.
12. Fake password: If you’re at a fake site and type in a phony password, the fake site is likely to accept it.

Recognize phishing, SMiShing, and other fake communications

Most scams usually start out from social engineering tactics such as phishing, smishing, and fake social media messages with suspicious links, before leading you to a fake website.

From these communications, the scammers impersonate legitimate organizations before finally executing their malevolent intentions. To avoid being tricked, it is essential to recognize the warning signs wherever you encounter them.

Email phishing red flags

Fake emails are among the most common phishing attempts you’ll encounter. If you see any of these signs in an unsolicited email, it is best not to engage:

• One way to recognize a phishing email is by its opening greeting. A legitimate email from your real bank or business will address you by name rather than a generic greeting like “Valued Customer” or something similar.
• In the main message, watch for urgent language like “Act now!” or “Your account will be suspended immediately.” Legitimate organizations rarely create artificial urgency around routine account matters. Also pay attention to the sender’s email address. Authentic companies use official domains, not generic email services like Gmail or Yahoo for business communications.
• Be suspicious of emails requesting your credentials, Social Security number, or other sensitive information. Banks and reputable companies will never ask for passwords or personal details via email.
• Look closely at logos and formatting. Spoofed emails often contain low-resolution images, spelling errors, or slightly altered company logos that don’t match the authentic versions.

SMS and text message scams

Smishing messages bear the same signs as phishing emails and have become increasingly sophisticated. These fake messages often appear to come from delivery services, banks, or government agencies. Common tactics include fake package delivery notifications, urgent banking alerts, or messages claiming you’ve won prizes or need to verify account information.

Legitimate organizations typically don’t include clickable links in unsolicited text messages, especially for account-related actions. When in doubt, don’t click the link—instead, open your banking app directly or visit the official website by typing the URL manually.

Social media phishing

Social media platforms give scammers new opportunities to create convincing fake profiles and pages. They might impersonate customer service accounts, create fake giveaways, or send direct messages requesting personal information. These fake sites often use profile pictures and branding that closely resemble legitimate companies.

Unusual sender behavior is another indicator of a scam across all platforms. This includes messages from contacts you haven’t heard from in years, communications from brands you don’t typically interact with, or requests that seem out of character for the supposed sender.

Examples of fake or scam websites

Scammers have become increasingly cunning in creating fake websites that closely mimic legitimate businesses and services. Here are some real-life examples of how cybercriminals use fake websites to victimize consumers:

USPS-themed scams and websites

Scammers exploit your trust in the United States Postal Service (USPS), designing sophisticated fake websites to steal your personal information, payment details, or money. They know you’re expecting a package or need to resolve a delivery issue, making you more likely to enter sensitive information without carefully verifying the site’s authenticity.

USPS-themed smishing attacks arrive as text messages stating your package is delayed, undeliverable, or requires immediate action. Common phrases include “Pay $1.99 to reschedule delivery” or “Your package is held – click here to release.”

Common URL tricks in USPS scams

Scammers use various URL manipulation techniques to make their fake sites appear official. Watch for these red flags:

• Misspelled domains: Sites like “uspps.com,” “uspo.com,” or “us-ps.com” instead of the official “usps.com”
• Extra characters: URLs containing hyphens, numbers, or additional words like “usps-tracking.com” or “usps2024.com”
• Different extensions: Domains ending in .net, .org, .info, or country codes instead of .com
• Subdomain tricks: URLs like “usps.fake-site.com” where “usps” appears as a subdomain rather than the main domain
• HTTPS absence: Legitimate USPS pages use secure HTTPS connections, while some fake sites may only use HTTP

Verify through official USPS channels

Always verify package information and delivery issues through official USPS channels before taking any action on suspicious websites or messages:

• Official USPS website: Report the incident directly to usps.com by typing the URL into your browser rather than clicking links from emails or texts. Use the tracking tool on the homepage to check your package status with the official tracking number.
• Official USPS mobile app: The USPS mobile app, available from official app stores, provides secure access to tracking, scheduling, and delivery management. Verify that you are downloading from USPS by checking the publisher name and official branding.
• USPS customer service: If you receive conflicting information or suspect a scam, call USPS customer service at 1-800-ASK-USPS (1-800-275-8777) to verify delivery issues or payment requests.
• Your local post office: When you need definitive verification, speak with postal workers at your local USPS location who can access your package information directly in their systems.

Where and how to report fake USPS websites

Reporting fake USPS websites helps protect others from falling victim to these scams and assists law enforcement in tracking down perpetrators.

• Report to USPS: Forward suspicious emails to the United States Postal Inspection Service and report fake websites through the USPS website’s fraud reporting section. The postal inspection service investigates mail fraud and online scams targeting postal customers.
• File with the Federal Trade Commission: Report the fraudulent website at ReportFraud.ftc.gov, providing details about the fake site’s URL, any money lost, and screenshots of the fraudulent pages.
• Contact the Federal Bureau of Investigation: Submit reports through the FBI’s Internet Crime Complaint Center, especially if you provided personal information or lost money to the scam.
• Alert your state attorney general: Many state attorneys general offices track consumer fraud and can investigate scams targeting residents in their jurisdiction.

Remember that legitimate USPS services are free for standard delivery confirmation and tracking. Any website demanding payment for basic package tracking or delivery should be treated as suspicious and verified through official USPS channels before providing any personal or financial information.

Tech support pop-up ads scams

According to the Federal Trade Commission, tech support scams cost Americans nearly $1.5 billion in 2024. These types of social engineering attacks are increasingly becoming sophisticated, making it more important than ever to verify security alerts through official channels.

Sadly, many scammers are misusing the McAfee name to create fake tech support pop-up scams and trick you into believing your computer is infected or your protection has expired and hoping you’ll act without thinking.

These pop-ups typically appear while you’re browsing and claim your computer is severely infected with viruses, malware, or other threats. They use official-looking McAfee logos, colors, and messaging to appear legitimate to get you to call a fake support number, download malicious software, or pay for unnecessary services.

Red flags of fake McAfee pop-up

Learning to detect fake sites and pop-ups protects you from scam. Be on the lookout for these warning signs:

• Offering phone numbers to call immediately: Legitimate McAfee software never displays pop-ups demanding you call a phone number right away for virus removal.
• Requests for remote access: Authentic McAfee alerts won’t ask you for permission to remotely control your computer to “fix” issues.
• Immediate payment demands: Real McAfee pop-ups don’t require instant payment to resolve security threats.
• Countdown timers: Fake alerts often include urgent timers claiming your computer will be “locked” or “damaged” if you don’t act immediately.
• Poor grammar and spelling: Many fraudulent pop-ups contain obvious spelling and grammatical errors.
• Browser-based alerts: Genuine McAfee software notifications appear from the actual installed program, not through your web browser.

Properly close a McAfee-themed pop-up ad

If you see a suspicious pop-up claiming to be from McAfee, here’s exactly what you should do:

1. Close the tab immediately: Don’t click anywhere on the pop-up, not even the “X” button, as this might trigger malware downloads.
2. Use keyboard shortcuts: Press Ctrl+Alt+Delete or Command+Option+Escape (Mac) to force-close your browser safely.
3. Don’t call any phone numbers: Never call support numbers displayed on the pop-ups, as these connect you directly to scammers.
4. Avoid downloading software: Don’t download any “cleaning” or “security” tools offered through pop-ups.
5. Clear your browser cache: After closing the pop-up, clear your browser’s cache and cookies to remove any tracking elements.

Verify your actual McAfee protection status

To check if your McAfee protection is genuinely active and up-to-date:

• Open your installed McAfee software directly: Click on the McAfee icon in your system tray or search for McAfee in your start menu.
• Visit the official McAfee website: Go directly to mcafee.com by typing it into your address bar.
• Log into your McAfee account: Check your subscription status through your official McAfee online account.
• Use the McAfee mobile app: Download the official McAfee Mobile Security app to monitor your protection remotely.

Remember, legitimate McAfee software updates and notifications come through the installed program itself, not through random browser pop-ups. Your actual McAfee protection works quietly in the background without bombarding you with alarming messages.

Crush fake tech support pop-ups

Stay protected by trusting your installed McAfee software and always verifying security alerts through official McAfee channels such as your installed McAfee dashboard or the official website.

1. Close your browser safely. If you see a fake McAfee pop-up claiming your computer is infected, don’t click anything on the pop-up. Instead, close your browser completely using Alt+F4 (Windows) or Command+Q (Mac). If the pop-up does not close, open Task Manager (Ctrl+Shift+Esc) and end the browser process. This prevents any malicious scripts from running and stops the scammers from accessing your system.
2. Clear browser permissions. Fake security pop-ups often trick you into allowing notifications that can bombard you with more scam alerts. Go to your browser settings and revoke notification permissions for suspicious sites. In Chrome, go to Settings > Privacy and Security > Site Settings > Notifications, then remove any unfamiliar or suspicious websites from the allowed list.
3. Remove suspicious browser extensions. Malicious extensions can generate fake McAfee alerts and redirect you to scam websites. Check your browser extensions by going to the extensions menu and removing any you don’t recognize or didn’t intentionally install.
4. Reset your browser settings. If fake pop-ups persist, reset your browser to its default settings to remove unwanted changes made by malicious websites or extensions, while preserving your bookmarks and saved passwords. In most browsers, you can find the reset option under Advanced Settings.
5. Run a complete security scan. Use your legitimate antivirus software to perform a full system scan. If you don’t have security software, download a reputable program from the official vendor’s website only, such as McAfee Total Protection, to detect and remove any malware that might be generating the fake pop-ups.
6. Update your operating system and browser. Ensure your device has the latest security and web browser updates installed, which often include patches for vulnerabilities that scammers exploit. Enable automatic updates to stay protected against future threats.
7. Review and adjust notification settings. Configure your browser to block pop-ups and block sites from sending you notifications. You could be tempted to allow some sites to send you alerts, but we suggest erring on the side of caution and just block all notifications.

Steps to take if you visited or purchased from a fake site

Be prepared and know how to respond quickly when something doesn’t feel right. If you suspect you’ve encountered a fake website, trust your instincts and take these protective steps immediately.

1. Disconnect immediately: Close your browser by using Alt+F4 (Windows), Ctrl + W (Chrome), or Command+Q (Mac) on your keyboard.
2. Run a comprehensive security scan: If you suspect a virus or malware, disconnect from the internet to prevent data transmission. Conduct a full scan using your antivirus software to detect and remove any potential threats that may have been downloaded.
3. Contact your credit card issuer: Call the number on the back of your card and report the fraudulent charges for which you can receive zero liability protection. Card companies allow up to 60 days for charge disputes under federal law and can refund payments made to the fake store. Consider requesting a temporary freeze on your account while the investigation proceeds.
4. Cancel your credit card: Request a replacement card with a new number to give you a fresh start. Your card issuer can expedite the request if needed, often within 24-48 hours.
5. Document everything thoroughly: Save all emails, receipts, order confirmations, and screenshots of the fake website before it potentially disappears. This documentation will be crucial for your chargeback and insurance claims, and any legal proceedings.
6. Update passwords on other accounts: Scammers often test stolen credentials across multiple platforms, so if you reused the same password on the fake site that you use elsewhere, change those passwords immediately. Enable two-factor authentication on important accounts like email, banking, and social media.
7. Stay alert for follow-up scams: Scammers may attempt to contact you via phone, email, or text claiming to “resolve” your situation through fake shipping notifications, additional payments to “release” your package, or “refunds” on your money in exchange for personal information.
8. Monitor your credit and financial accounts. Keep a close eye on your bank and credit card statements for several months and place a fraud alert on your credit reports through one of the three major credit bureaus—TransUnion, Equifax, and Experian. Consider a credit freeze for maximum protection.
9. Check for legitimate alternatives. If you were trying to purchase a specific product, research authorized retailers or the manufacturer’s official website. Verify business credentials, secure payment options, and return policies before making new purchases.

Report a scam website, email, or text message

• Federal Trade Commission: Report fraudulent websites to the FTC, which investigates consumer complaints and uses this data to identify patterns of fraud and take enforcement action against scammers.
• FBI’s Internet Crime Complaint Center: Submit detailed reports to the ICc3 for suspected internet crimes. IC3 serves as a central hub for reporting cybercrime and coordinates with law enforcement agencies nationwide.
• State Attorney General: If the fake store claimed to be located in your state, consider reporting to your state attorney general’s office, as these have dedicated fraud reporting systems and can take action against businesses operating within state boundaries. Find your state’s reporting portal through the National Association of Attorneys General website.
• Domain registrar, hosting provider, social media: Look up the website’s registration details using a WHOIS tool, then report abuse to both the domain registrar and web hosting company. Most providers have dedicated abuse reporting emails and will investigate violations of their terms of service. If the fake page is on social media, you can report it to the platform to protect other consumers.
• Search engines: Report fraudulent sites to Google through their spam report form and to Microsoft Bing via their webmaster tools to prevent the fake sites from appearing in search results.
• The impersonated brand: If scammers are impersonating a legitimate company, report directly to that company’s fraud department or customer service. Most brands have dedicated channels for reporting fake websites and will work to shut them down.
• Share your experience to protect others: Leave reviews on scam-reporting websites such as the Better Business Bureau’s Scam Tracker or post about your experience on social media to warn friends and family. Your experience can help others avoid the same trap and contribute to the broader fight against online fraud.
• Essential evidence to gather:

• • Full website URL and any redirected addresses
  • Screenshots of the fraudulent pages, including fake logos or branding
  • Transaction details, if you made a purchase (receipts, confirmation emails, payment information)
  • Email communications from the scammers
  • Date and time when you first encountered the site
  • Any personal information you may have provided

• Additional reporting resources: The CISA maintains an updated list of reporting resources while the Anti-Phishing Working Group investigates cases of the fake sites that appear to be collecting personal information fraudulently. For text message scams, forward the message to 7726 (SPAM).

Final thoughts

Recognizing fake sites and emails becomes easier with practice. The key is to trust your instincts—if something feels suspicious or too good to be true, take a moment to verify through official channels. With the simple verification techniques covered in this guide, you can confidently navigate the digital world and spot fake sites and emails before they cause harm.

Your best defense is to make these quick security checks a regular habit—verify URLs, look for secure connections, and trust your instincts when something feels off. Go directly to the source or bookmark your most-used services and always navigate to them. Enable two-factor authentication on important accounts, and remember that legitimate companies will never ask for sensitive information via email. Maintaining healthy skepticism about unsolicited communications will protect not only your personal information but also help create a safer online environment for everyone.

For the latest information on fake websites and scams and to report them, visit the Federal Trade Commission’s scam alerts or the FBI’s Internet Crime Complaint Center.

The post Ways to Tell if a Website Is Fake appeared first on McAfee Blog.

The holidays are the season of giving; unfortunately, it’s also the season when scammers try to cash in on the spirit of generosity

If you’re seeing a heartfelt charity ad on social media, a touching email, or a surprise text asking you to donate, it’s worth pausing for a moment. Is it genuine charity—or a scam built to tug at your heartstrings?

The good news: staying safe doesn’t mean stopping your generosity. With a few quick checks, you can give confidently and protect yourself.

What is charity fraud?

Charity fraud is when scammers pose as legitimate nonprofits—or misuse the name of a real charity—to trick people into donating money or giving away personal information.

In some cases, the organization is completely fake. In others, it’s a real charity that uses donations in misleading or unethical ways, passing very little money to the actual cause.

Type 1: Fully fake charities

The first type involves flat-out fraud, where the organization is a front for a scam, through and through. Any money you give goes straight into the scammer’s pocket. As does your personal and payment info, which can lead to further fraud.

Type 2: Low impact “charities”

These are real, registered charities. But They keep the majority of donations for overhead instead of helping the cause.

This second type often involves questionable practices by the organization. According to the Better Business Bureau, reputable organizations keep 35% or less of their funds for operations.

Meanwhile, some less-than-reputable organizations keep up to 95% of funds, leaving only 5% for advancing the cause they advocate. (For a closer look at some examples, the independent watchdog group Charity Watch published a blog highlighting some of the worst charities they audited in 2024.)

Common to both, they’ll indeed play on your emotions, and they’ll urge you to donate now. As it is with so many scams and shady deals on the internet, you’ll find a sense of urgency central to their message.

How to spot a charity scam

1. Look for a dot-org domain

For starters, reputable charities often have dot-org as their domain extension—versus dot-com or any one of the hundreds of permutations available today.

2. Research the organization

Charities leave a paper trail, one that can get audited. And fake ones won’t leave a trail at all. With a quick look at some reputable online resources, you can quickly find out if the charity you want to support is legit.

In the U.S., the Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count. Resources like Charity Watch and Charity Navigator, along with the BBB’s Wise Giving Alliance can also help you identify the best charities. You can also look up a charity’s Form 990 tax return online.

3. Take your time

This goes hand-in-hand with the above. If you feel like you’re getting rushed to donate, it could be a sign of a scam. Step back and indeed do your research with a few clicks to the resources listed above.

4. Pay with a credit card

This protects you in two ways. If you fall victim to a scam, you can contest the charges with your credit card company. And if a scammer tries to use your card again for other purchases, you can contest those too. Also, in the U.S., credit cards offer you additional protection that debit cards don’t. That’s thanks to the Fair Credit Billing Act (FCBA). It limits your liability to $50 for fraudulent charges on a credit card if you report the loss to your issuer within 60 days.

5. Avoid sketchy payment methods

The following is a sure-fire red flag: requests for payment in cash, gift cards, cryptocurrency, or wire transfers. Don’t ever use these forms of payment for charities, let alone anything else online.

6. Donate directly

Better yet, donate directly. Rather than respond to calls, ads, emails or texts, donate on your terms. After you give your possible donation some time and thought, you can go directly to the website of a charitable organization that you’ve researched.

And here’s how McAfee can help you stay safer still.

Get a scam detector. You can combine your healthy skepticism and awareness with the right technology, like our Scam Detector and Web Protection.

Both will alert you if a link you received might take you to a sketchy site. It’ll also block those sites if you accidentally tap or click on a bad link.

Clean up your personal info online. Scams over email, phone, and text all require the same thing: your contact info.

In many cases, scammers get it from data broker sites. Data brokers buy, collect, and sell detailed personal info, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shopper’s cards and mobile apps that share and sell user data.

Moreover, they’ll sell it to anyone who pays for it, including people who’ll use that info for scams. You can help reduce those scam texts and calls by removing your info from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.

Monitor your identity and credit. The problem with many scams is that you only find out about it once the damage is done, like when a scammer uses your phished card number to make additional purchases in your name.

Actively monitoring your identity and credit can spot a problem before it becomes an even bigger one. You can take care of both easily with our credit monitoring and identity monitoring.

Additionally, our identity theft coverage can help if the unexpected happens with up to $2 million in identity theft coverage and identity restoration support if determined you’re a victim of identity theft.​

You’ll find these protections, and plenty more, in McAfee+.

A safe way to support the fight against cybercrime

If you want to give back and help protect people from online fraud, McAfee has partnered with Fight Cyber Crime, a legitimate U.S. nonprofit dedicated to helping victims of online scams.

You might remember them from our Scam Stories partnership earlier this year, sharing real stories from real scam victims to raise awareness about threats facing us every day on and offline.

Why we recommend them

• They provide free support and recovery guidance to scam victims.
• They raise nationwide awareness about cybercrime.
• They’re a vetted, established organization doing real work in online safety.

How you can help

Visit their site to learn more or make a donation: https://fightcybercrime.org/about/donate/

Supporting validated charities like Fight Cyber Crime is one way to make a real impact this holiday season—without putting yourself at risk.

The post How to Spot Charity Scams and Donate Safely this Giving Season appeared first on McAfee Blog.

Many content creators highlight the differences between today’s most prominent generations: the Silent Generation, baby boomers, Generation X, millennials, and Generations Z and Alpha. No generation seems to have much in common with the others. In truth, there is something that people can agree on: identity and online privacy protection. Young or old, cybercriminals don’t discriminate against who they target. In fact, some generations are more prone to certain scams than others. Educating yourself and your family members on current cyberthreats is the first step to defending against them. In this guide, we’ll take a look at how to protect every age group from online threats.

Family protection matters

Your family faces an onslaught of online threats that didn’t exist just a decade ago, and growing. The FBI’s 2024 Internet Crime Report shows that Americans alone lost over $18 billion to cybercrime since 2020. That’s why protecting your family entails more than just antivirus software. Digital protection now encompasses safeguarding your household’s online privacy, monitoring for identity threats, and securing every family device that connects to the internet. This is how risks impact different family members differently:

• Your children and teens, 97% of whom own a smartphone, face vulnerabilities through social media platforms, gaming networks, and school devices. They’re naturally curious and trusting, making them prime targets for social engineering scams disguised as friend requests or free game downloads.
• Adults in your household juggle multiple online responsibilities—banking, shopping, work communications, and managing family accounts. The rush of daily life can make you more susceptible to phishing emails that look legitimate or malicious links embedded in seemingly innocent messages.
• Senior family members often become targets because they may be less familiar with evolving online scams. In 2024, the FTC received 147,127 complaints from adults aged 60 years and above, resulting in $4.8 billion in losses. But since many of these incidents go unreported, that figure may actually go as high as $61.5 billion.

Depending on the age group, criminals adapt their tactics based on who they’re targeting. With the right protection, you can expand your family’s digital life with confidence. When you have the right safeguards in place, your family can fully embrace the incredible opportunities that technology offers. Your kids can safely research school projects, your teens can connect with friends responsibly, and you can manage your household efficiently online. The most effective digital safety approach is to create a safety net with layered protection, one that works across all your devices and considers each family member’s technology usage—whether that’s helping your teenager safely explore career interests online, ensuring your online banking stays secure, or giving grandparents peace of mind when video chatting with distant relatives. This means combining real-time threat detection, safe browsing tools, identity monitoring, and secure connections through a virtual private network.

Distinct protections per age group

No two generations use technology the same way—and cybercriminals know it. Children, teens, adults, and seniors each face unique digital risks shaped by their habits, confidence levels, and online environments. That’s why effective cybersecurity isn’t one-size-fits-all. Tailoring protection to each age group ensures that everyone—from curious kids to tech-savvy adults—can navigate the digital world safely and confidently.

Safeguard childhood

Cybercriminals can buy Social Security Numbers (SSNs) of minors on the dark web or gather them through medical records or school system breaches. SSNs are valuable to a cybercriminal because the theft can go undetected for years since children aren’t yet opening credit cards or applying for mortgages. It’s never too early to start identity monitoring. For the same reason, you might consider putting a credit freeze on behalf of your child since they won’t be needing it for several years. A credit freeze makes your child’s credit inaccessible to everyone, including criminals, and won’t negatively affect their credit score.

Digital safety with tween and teen independence

Once your child becomes a teenager, they can be allowed to open their first email addresses and social media profiles independently. It’s an important life lesson in organization, responsibility, and digital literacy. However, these platforms could open them to risks such as cyberbullying, fake news, and social engineering. The best way to avoid being cyberbullied is through education. Ensure that your tweens and teens who spend unsupervised time on their devices know what to do if they encounter cyberbullying. The best course of action is to report the incident to an adult and, in the meantime, to suspend their accounts.

Prepare the seniors

Cybercriminals often seek out seniors as easy targets for online scams because they are typically less digitally savvy. They may not realize that some emails in their inbox could be sent by someone with bad intentions. What can start out as a friendly email pal can quickly spiral into divulging sensitive personal information or sending huge sums of money to a criminal. The best way to prepare the seniors in your life for online safety is to impart a few, easy-to-follow absolutes. Start with these three rules:

• Never tell anyone your password. Your bank, tax filing service, nor the IRS will ever need it.
• Never divulge your SSN over email.
• Never send money to a stranger, no matter how much their “sob story” tugs at your heartstrings.

Manage what’s right for your family online

Creating a safer digital environment for your children doesn’t require you to become a tech expert. With the right approach and tools, you can establish healthy digital boundaries that protect your children while allowing them to enjoy the benefits of our connected world.

Start with open conversation

Before implementing any technical measures, have honest discussions with your family about online safety to build trust and help you recognize each family member’s digital journey. Explain that protective measures will not restrict freedom, but reduce risks such as phishing attempts, malware infections, and exposure to inappropriate content.

Create a family technology agreement

A family tech agreement serves as your household’s digital constitution. Work together to establish rules about screen time, appropriate websites, social media use, and consequences for breaking agreements, including guidelines about sharing personal information, downloading apps, and what to do if they encounter something concerning online.

Enable parental controls

Most devices and platforms offer robust parental control features. iOS devices’ Screen Time and Android’s Family Link allow you to set app limits and content restrictions, while Windows and macOS can filter content and set time limits. The Federal Communications Commission recommends router-level filtering as the first line of defense because it automatically protects all devices connected to your network.

Set up app and content filters

Configure age-appropriate content filters on streaming services, gaming platforms, and app stores. Netflix, Disney+, and other services allow you to create child-friendly profiles with content restrictions, while gaming consoles like PlayStation, Xbox, and Nintendo Switch include comprehensive parental controls for game ratings, online interactions, and spending limits. For web browsing, enable SafeSearch on Google, Bing, and other search engines to create clarity and keep harmful content from appearing in search results.

Optimize privacy settings across platforms

Because social media platforms often favor data collection over privacy, it is critical that you adjust privacy settings on all social media accounts and apps your family uses. Turn off location sharing and disable targeted advertising when possible, and limit who can contact your children online. To reduce younger children’s exposure to social engineering attempts and inappropriate contact from strangers, make their profiles private by default and require approval for new followers or friend requests.

Deploy safe browsing tools

Your teen could be so focused on downloading a “free” TV or video game that they may not recognize the signs of malicious sites such as typos, blurry logos, or incredible offers. Trustworthy safe browsing extensions and software could protect your teen from these unsafe downloads, as well as from risky websites, hidden malware, phishing, and social media bots. Safe browsing extensions could teach your family members to develop better security instincts when they see warnings about suspicious URLs, poor website design, and too-fantastic offers.

Make protection age-appropriate

Tailor your approach to each family member’s age, digital maturity, and comfort level with technology. Younger children will need more restrictive settings and closer supervision, while teenagers are more open when they understand the reason behind the rules and can have some autonomy with clear consequences for misuse.

Regular check-ins and updates

As technology evolves, ongoing conversation about responsible usage will allow you to address new apps, games, or websites your family wants to explore. Set a monthly family meeting to discuss online experiences, review your technology agreement, and adjust settings as needed. When you implement these strategies consistently, your family will experience fewer security incidents, reduced exposure to inappropriate content, and better digital habits overall. These tools and strategies work best when combined with ongoing communication and a family culture that prioritizes both digital exploration and safety. In addition, children who grow up with these protections develop stronger security awareness and are less likely to fall victim to online scams as they become more independent digital users.

Mindfulness is safety

As an adult, you typically have better street smarts than teens. However, the daily rush of juggling work, social obligations, and running a household could leave you without much time to spare, even for romance. As a result, living life in the fast lane makes you more susceptible to scams, phishing, malware, and computer viruses. The best way to prevent falling for these digital threats is this: slow down! Take your time when you receive any message from someone you don’t know or have never met in person. If you feel even an iota of suspicion, don’t engage with the sender. Delete the message. If it’s important, the person or organization will follow up. To fully protect your connected devices and the personally identifiable information they store, consider investing in safe browsing, antivirus software, and identity monitoring and restoration services to catch any threats that may have passed under your watchful eye.

Modern antivirus for today’s cyberthreats

While you might think your devices are already secure, modern cyberthreats have evolved to become more virulent, far beyond what traditional built-in protections can handle. In response, antivirus solutions have transformed into intelligent security systems that provide comprehensive, real-time protection using behavioral analysis, machine learning, and cloud-based threat detection. These advanced technologies actively identify and block phishing attacks, malware, ransomware, and malicious websites that traditional security measures often miss. While operating systems such as Windows and macOS include basic security features, they’re designed as general safeguards rather than comprehensive family protection solutions. Built-in protections typically focus on known threats, but do not detect zero-day attacks, sophisticated phishing schemes, or emerging malware variants that cybercriminals specifically design to evade standard defenses. Consider these daily family scenarios where your teenager brings home their school laptop. It may have been exposed to threats through shared networks or downloads from classmates. That family tablet everyone uses for streaming and games becomes a potential entry point for malicious apps or compromised websites. When you connect to public Wi-Fi at the coffee shop, airport, or hotel during family travel, you’re exposing your devices to network-based attacks that built-in protections weren’t designed to handle. Your modern family needs a comprehensive antivirus solution that monitors all your family’s devices continuously, learns each member’s online behavior patterns, and adapts its protection accordingly. This means blocking that suspicious email before your spouse clicks on it, preventing your child from accidentally downloading malware disguised as a game, and ensuring your smart home devices remain secure. The best value comes from bundled services that address your family’s complete digital life. Identity monitoring services watch for signs that your family members’ personal information has been compromised in data breaches. A family VPN service encrypts your internet connection, protecting sensitive information when family members use public Wi-Fi networks for school projects, work calls, or entertainment. This integrated protection works seamlessly not just to protect individual devices, but to safeguard your entire family’s digital ecosystem. With cybercrime damages projected to continue growing significantly each year, investing in comprehensive family protection is one of the smartest decisions you can make for your household’s digital well-being.

The ultimate protection plan

Get the whole family committed to safer and more private online lives with the help of McAfee+ Ultimate Family Plan. This plan covers up to six individuals in your family with an entire suite of comprehensive privacy, identity, and device security features. The plan also includes preventive measures to fight online crime, such as safe browsing tools, an advanced firewall, unlimited VPN, and antivirus software for unlimited devices. Your family can also receive up to $2 million in identity theft recovery and $50,000 in ransomware coverage. With the McAfee+ Ultimate Family Plan, device security extends across unlimited computers, smartphones, and tablets, while its advanced antivirus software automatically updates to defend you against the latest threats. Safe browsing tools block malicious websites before they can cause harm, and the unlimited VPN encrypts internet connections on public networks, while the built-in firewall monitors incoming and outgoing traffic. All your family’s login credentials on all devices will be secure with password management, while secure cloud storage protects important documents and family photos. Real-time alerts notify you immediately when scams are detected or suspicious activity occurs.

Protection tailored for every family member

Every family member faces different online risks, shaped by their age, habits, and digital experience. Children need safeguards against identity theft and unsafe content, while teens require protection that balances independence with security. Adults juggle multiple connected accounts that demand advanced monitoring, and seniors benefit from simplified defenses against scams and fraud. A one-size-fits-all approach no longer works. The McAfee+ Ultimate Family Plan effectively adapts to each person’s unique digital life, ensuring that everyone stays safe, confident, and connected online:

• Your young children’s Social Security Numbers will be monitored for misuse, while your teens will be protected from risky downloads and phishing attempts and still maintain their online autonomy.
• The adults in your family will benefit from comprehensive identity theft protection that monitors credit reports, bank accounts, and personal information across the dark web. Meanwhile, your email and social media accounts will be continuously surveilled for unauthorized access.
• Seniors will receive simplified alerts and protection specifically designed for common online scams and be supported by top-notch identity restoration specialists to resolve any issues that arise.

Quick start checklist

Getting started with the McAfee+ Ultimate Family Plan takes only minutes. Simply follow this short list to start protecting your family’s digital life:

• Account creation: Create a master account at mcafee.com using the primary family email address. This account becomes your central dashboard for managing all family members’ protection.
• Add family profiles: Add family profiles by entering each member’s basic information. You can include up to six family members with personalized settings—spouses, children, and other household members. Each person receives their own unique protection settings based on their age and device usage patterns.
• Install on devices: Download the McAfee app on every family device—computers, phones, and tablets. The software automatically synchronizes with your primary family account and begins protecting all devices immediately. The installation process typically completes in under five minutes per device.
• Enable key protections: Once installation is done, you can start activating identity monitoring, VPN, and safe browsing for each member.
• Turn on alerts: You will also need to configure notification preferences for each device to activate alerts when security events and threats occur.
• Test your setup: To see if the installation works, run initial antivirus scans on all devices. You can also test the VPN to ensure that the connection works.

Essential tips to protect your family online

A comprehensive online security solution combined with best digital practices can go a long way in protecting your loved ones from identity theft, scams, and online risks. These essential tips will help you strengthen your family’s digital defenses, build safer online routines, and give everyone the confidence to explore the internet securely.

• Use unique passwords and multi-factor authentication: Doing this prevents hackers from accessing multiple accounts even if one password is compromised. Enable MFA on all critical accounts.
• Enable automatic updates on all devices: Configure automatic security updates to keep your family’s devices protected against the latest security threats without requiring constant manual action from you.
• Turn on safe browsing and firewall protection: Enabling safe browsing features blocks malicious websites and unauthorized network access before they can harm your family’s devices and data.
• Use a VPN on public Wi-Fi networks: A VPN protects your data on public networks by encrypting your family’s internet connection in hotel, coffee shop, or airport Wi-Fi to prevent data theft.
• Set device-level parental controls: Configure age-appropriate content filters to protect children from inappropriate content while teaching responsible digital habits.
• Consider freezing minors’ credit reports: Credit freezing will prevent identity thieves from opening fraudulent accounts in your children’s names, as they won’t need credit yet.
• Teach family members to recognize phishing red flags: Educating your family to identify common phishing tactics empowers them to spot red flags in suspicious emails, texts, and websites that try to steal personal information.
• Back up important family files regularly: Create a comprehensive backup strategy to ensure precious photos, documents, and memories are safe even if devices are lost, stolen, or infected with ransomware.
• Monitor identities for the whole family: Use family plans to catch suspicious activity early, allowing you to respond quickly if someone’s personal information is compromised.

Final thoughts

Protecting your family’s digital life doesn’t have to be overwhelming. With the right knowledge, best digital practices, and a comprehensive security solution like McAfee+ Ultimate Family Plan, you can safeguard everyone against today’s online threats. A comprehensive family plan will help you enable safe browsing tools, monitor your family members’ identities, educate each family member about their unique risks, and build a strong foundation of online security. Start implementing these protective measures today, and stay informed about emerging threats and security best practices to keep your loved ones safe in our connected world.

The post Protect the Whole Family with McAfee+ Ultimate Family Plan appeared first on McAfee Blog.

Leading off our news on scams this week, a heads-up for DoorDash users, merchants, and Dashers too. A data breach of an undisclosed size may have impacted you.

Per an email sent by the company to “affected DoorDash users where required,” a third party gained access to data that may have included a mix of the following:

• First and last name
• Physical address
• Phone number
• Email address

You might have got the email too. And even if you didn’t, anyone who’s used DoorDash should take note.

As to the potential scope of the breach, DoorDash made no comment in its email or a post on their help site. Of note, though, is that one of the help lines cited in their post mentions a French-language number—implying that the breach might affect Canadian users as well. Any reach beyond the U.S. and Canada remains unclear.

Per the company’s Q2 financial report this year, “hundreds of thousands of merchants, tens of millions of consumers, and millions of Dashers across over 30 countries every month.” Stats published elsewhere put the user base at more than 40 million people, which includes some 600,000 merchants.

The company underscored that no “sensitive” info like Social Security Numbers (and potentially Canadian Social Insurance Numbers) were involved in the breach. This marks the third notable breach by the well-known delivery service, with incidents in 2019 and 2022

What to do if you think you got caught up in the DoorDash breach

While the types of info involved here appear to be limited, any time there’s a breach, we suggest the following:

Protect your credit and identity. Checking your credit and getting identity theft protection can help keep you safer in the aftermath of a breach. Further, a security freeze can help prevent identity theft if you spot any unusual activity. You can get all three in place with our McAfee+ Advanced or Ultimate plans.

Keep an eye out for phishing attacks. With some personal info in hand, bad actors might seek out more. They might follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal info. As with any text or email you get from a company, make sure it’s legitimate before clicking or tapping on any links. Instead, go straight to the appropriate website or contact them by phone directly. Also, protections like our Scam Detector and Web Protection can alert you to scams and sketchy links before they take you somewhere you don’t want to go.

Update your passwords and use two-factor authentication. Changing your password is a strong preventive measure. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager helps you stay on top of it all while also storing your passwords securely.

Attention travelers: Now boarding, a rise in flight cancellation scams

Even as the FAA lifted recent flight restrictions on Monday morning, scammers are still taking advantage of lingering uncertainty, and upcoming holiday travel, with a spate of flight cancellation scams.

How the scam works

Fake cancellation texts

The first comes via a text message saying that your flight has been cancelled and you must call or rebook quickly to avoid losing your seat—usually in 30 minutes. It’s a typical scammer trick, where they hook you with a combination of bad news and urgency. Of course, the phone number and the site don’t connect you with your airline. They connect you to a scammer, who walks away with your money and your card info to potentially rip you off again.

Fake airline sites in search results

The second uses paid search results. We’ve talked about this trick in our blogs before. Because paid search results appear ahead of organic results, scammers spin up bogus sites that mirror legitimate ones and promote them in paid search. In this way, they can look like a certain well-known airline and appear in search before the real airline’s listing. With that, people often mistakenly click the first link they see. From there, the scam plays out just as above as the scammer comes away with your money and card info.

How to avoid flight cancellation scams

Q: How can I confirm whether my flight is really canceled?
A: Check directly in your airline’s official app or website. Never click links in texts or emails.

Q: How can I spot a fake airline search result?
A: Look for “Ad”/“Sponsored,” confirm the URL, and check that the site uses HTTPS, not HTTP.

Q: Is there a tool that flags fake booking sites?
A: Scam-spotting tools like Scam Detector and Web Protection can identify sketchy links before you click.

In search, first isn’t always best.

Look closely to see if your top results are tagged with “Sponsored” or “Ad” in some way, realizing it might be in fine print. Further, look at the web address. Does it start with “https” (the “s” means secure), because many scam sites simply use an unsecured “http” site. Also, does the link look right? For example, if you’re searching for “Generic Airlines,” is the link the expected “genericairlines dot-com” or something else? Scammers often try to spoof it in some way by adding to the name or by creating a subdomain like this: “genericairlines.rebookyourflight dot-com.”

Get a scam detector to spot bogus links for you.

Even with these tips and tools, spotting bogus links with the naked eye can get tricky. Some look “close enough” to a legitimate link that you might overlook it. Yet a combination of features in our McAfee+ plans can help do that work for you.  Our Scam Detector helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. Likewise, our Web Protection will alert you if a link might take you to a sketchy site. It’ll also block those sites if you accidentally tap or click on a bad link.

Scammers Hijack a Trusted Mass Texting Provider

You’ve probably seen plenty of messages sent by short code numbers. They’re the five- or six-digit codes used to send texts instead of by a phone number. For example, your cable company might use one to send a text for resetting a streaming password, the same goes for your pharmacy to let you know a prescription is ready or your state’s DoT to issue a winter travel alert, and so on.

According to NBC News, scammers sent hundreds of thousands of texts using codes used by the state of New York, a charity, and a political organizing group. The article also cites an email sent to messaging providers by the U.S. Short Code Registry, an industry nonprofit that maintains those codes in the U.S. In the email, the registry said attempted attacks on messaging providers are on the rise.

What this means for the rest of us is that just about any text from an unknown number, and now short codes, might contain malicious links and content. It’s one more reason to arm yourself with the one-two punch of our Scam Detector and Web Protection.

What are short codes?
Short codes are 5–6 digit numbers used by pharmacies, utilities, banks, and government agencies to send official alerts.

Why this attack is unusual
Scammers didn’t spoof short codes—they gained access to real ones used by:

• The State of New York
• A charity
• A political organizing group

Why this matters
Even texts from legitimate short-code numbers can no longer be trusted at face value.

What to do now

• Treat any unexpected text—even from a short code—as suspicious.
• Don’t tap links.
• Verify by going directly to the official website or app.

Quick Scam Roundup

Consumers warned over AI chatbots giving inaccurate financial advice 

• Our advice: Always verify recommendations with trusted financial sources

Why our own clicks are often cybercrime’s greatest allies

• Our advice: Many attacks rely on rushed or emotional decisions, slow down before clicking

TikTok malware scam uses fake software activation guides to steal data

• Our advice: Download software only from official sources

 

We’ll be back after the Thanksgiving weekend with more updates, scam news, and ways to stay cyber safe.

The post This Week in Scams: DoorDash Breach and Fake Flight Cancellation Texts appeared first on McAfee Blog.

Want McAfee’s latest scam alerts, cybersecurity tips, and safety updates to show up automatically in your Google News feed? You can follow McAfee directly on Google News with a single tap.

Google News now gives every official publisher a dedicated page — and McAfee has one. Once you follow us, our newest articles will appear in your Following tab and throughout your personalized news feed whenever they’re relevant to you.

Here’s how to do it in seconds.

Follow McAfee on Google News

Step 1: Go to our official Google News page

Tap or click this link:

McAfee Official Google News Source Page

This opens McAfee’s verified publisher page inside Google News.

Step 2: Tap the “Follow” button

You’ll see a star icon at the top of the page.

Tap Follow and you’re done.

That’s it — McAfee is now part of your personalized news feed.

What happens after you follow McAfee

When you tap the star:

• McAfee appears under Following → Sources in Google News
• Our stories show up more often when you search for cybersecurity topics
• You’ll see McAfee alerts, safety tips, and threat updates sooner
• Google prioritizes McAfee when we publish on topics you care about (AI scams, malware, identity theft, etc.)

No settings menus. No advanced search. Just one tap.

How to Unfollow or Manage Your Sources

If you ever want to update your feed:

1. Open Google News

2. Go to Following → Sources

3. Tap the star again to unfollow

4. Or rearrange which sources matter most to you

 

---

FAQs

Do I need the Google News app?

No. Following works in both browsers and the app.

Will this make McAfee show up first for every search?

Not automatically — but Google does prioritize publishers you follow when the content is relevant.

Can I follow McAfee on multiple devices?

Yes. It’s tied to your Google account, not your phone or laptop.

Is the follow button safe?

Absolutely. This is Google’s built-in publisher follow system.

Stay Updated, Stay Safer

Cyber threats move fast — following McAfee on Google News makes it easier to stay ahead of scams, breaches, and emerging AI risks.

The post How to Follow McAfee on Google News in One Simple Step appeared first on McAfee Blog.

Contactless payments make everyday purchases fast and easy. Yet with that convenience comes a risk: ghost tapping.

In crowded spaces or rushed moments, a scammer could trigger a small tap-to-pay charge or push through a higher amount without your clear consent. Understanding what ghost tapping is, how it happens, and what to do next helps you keep your money and identity secure.

What Is Ghost Tapping?

Ghost tapping is a form of contactless fraud where someone attempts to initiate a tap-to-pay transaction without your approval.

Tap-to-pay cards and mobile wallets on phones use a technology called “near-field communication,” or NFC. That lets them communicate with things like a point-of-sale device for payment at a very close range. It’s generally quite safe, particularly because of the “near” part. You have to get very close to make the connection.

Even so, proximity and distraction can be exploited. Attackers may try to skim limited details from RFID (Radio Frequency Identification technology) cards or NFC cards, or nudge you into approving a payment you didn’t intend. If you’ve ever wondered what ghost tapping is, think of it as an opportunistic, in-person scam that abuses the tap-to-pay moment rather than a remote hack.

How Ghost Tapping Happens

Most schemes rely on getting close and catching you off guard. A criminal might carry a portable reader, press into a pocket or bag, and attempt a low-value charge. Others set up tampered terminals, rushing you so you don’t check the amount.

Consider These Two Scenarios:

You’re at a busy farmer’s market. A scammer with a phone equipped with a point-of-sale app stumbles into you and gets close enough to your card to trigger a transaction. It’s almost like a modern-day pickpocket move, where the bump distracts the victim from the theft as it happens.

In another case, you might come across a phony vendor. Maybe someone’s selling cheap hats outside a football game or someone’s going around your neighborhood selling candy, supposedly to support a charity. In scenarios like these, you tap to pay with your phone just as you’d expect… but with one exception: the “vendor” jacks up the purchase price. They hurry you through the transaction, so quickly that you don’t review the screen before you confirm payment.

We’ve also seen reports of people getting Apple Pay scammed by impostor merchants who exploit quick taps and small screens. While mobile wallets add strong safeguards, poor visibility and social pressure can still lead to losses.

The Better Business Bureau on Ghost Tapping:

A report posted on the Scam Tracker at the Better Business Bureau (BBB) shows how the phony vendor version of this scam allegedly played out:

“An individual is going door to door in [location redacted] claiming to be selling chocolate on behalf of [redacted] to support special needs students. He says that he can only accept tap-to-pay to get people to pay with a card. He then charges large amounts to the card without the cardholder being able to see the amount. He got my mother for $537… Another victim for $1100… He changes neighborhoods frequently to avoid getting caught.”

Signs of Ghost Tapping and Common Myths

Early ghost detecting starts with vigilance. Watch for unfamiliar small charges, especially after crowded events, and alerts tied to contactless transactions. If you see odd activity tied to RFID cards or NFC cards, act quickly.

Common myths persist. Attackers can’t drain accounts from far away, clone full cards via a tap, or bypass wallet protections easily. Most successful cases hinge on proximity, distraction, and human error. Meanwhile, Apple Pay scam stories often involve rushed taps and unverified totals.

Effective ghost detecting focuses on timely alerts, careful review, and immediate response.

How to Protect Yourself from Ghost Tapping Scams

The BBB, which recently broke the story of these scams, offers several pieces of advice. We have some advice we can add as well.

From the BBB…

• Store your cards securely. An RFID-blocking wallet or sleeve can help stop wireless skimming.
• Always confirm payment details. Before tapping your card or phone, check the merchant’s name and amount on the terminal screen.
• Set up transaction alerts. Many banks allow real-time notifications for every charge.
• Keep an eye on your accounts. Daily checks help you spot fraud faster.
• Limit tap-to-pay use in high-risk areas. Consider swiping or inserting your card instead.

From us at McAfee…

Monitor your identity and your credit.

The problem with many card scams is that they can lead to further identity theft and fraud, which you only find out about once the damage is done. Actively monitoring your identity and credit goes beyond single transaction alerts from your bank and can spot an emerging problem before it becomes an even bigger one. You can take care of both easily with timely notifications from our credit monitoring and identity monitoring features, all as part of our McAfee+ plans.

When you’re out and about, consider what you’re carrying—and where you carry it.

The physical safety of your phone and cards counts as well. While ghost tapping scams are new, old-school physical pickpocketing attempts persist. When it comes to devices and things like debit cards, credit cards, and even cash, keep what you bring with you to the bare minimum when you go out. This can cut your losses if the unfortunate happens. If you have a credit card and ID holder attached to the back of your phone, you may want to remove your cards from it. That way, if your phone gets snatched, those important cards don’t get snatched as well.

When in doubt, shop with a credit card.

In the U.S., credit cards offer you additional protection that debit cards don’t. That’s thanks to the Fair Credit Billing Act (FCBA). It limits your liability to $50 for fraudulent charges on a credit card if you report the loss to your issuer within 60 days.

The post Ghost Tapping: What It Is, How It Works, and How to Stay Safe appeared first on McAfee Blog.

As the holiday season ramps up, so do group dinners, shared travel costs, gift exchanges, and all the little moments where someone says, “Just Venmo me.”

With more people sending and splitting money this time of year, scammers know it’s prime time to target payment apps. Here’s how to keep your Venmo transactions safe during one of the busiest — and riskiest — payment seasons.

What kind of scams are on Venmo?

Venmo scams come in all shapes, and many of them look like variations of email phishing and text scams. The scammers behind them will pose as Venmo customer service reps who ask for your login credentials. Other scammers offer bogus cash prizes and pyramid schemes that lure in victims with the promise of quick cash. Some scammers will use the app itself to impersonate friends and family to steal money.

Venmo has a dedicated web page on the topic of scams, and lists the following as the top Venmo scams out there:

·       Fake Prize or Cash Reward ·       Call from Venmo ·       Call from Tech Support ·       Fake Payment Confirmation ·       Pre-payment for Goods and Services

·       Stranger Posing as a Friend ·       Payments from Strangers ·       Offers to Make Money Fast ·       Paper Check Scam ·       Romance Scam

 

Venmo has thorough instructions to combat these scams and breaks them down in detail on its site. They also provide preventative tips and steps to take if you unfortunately fall victim to one of these scams. Broadly speaking, though, avoiding Venmo scams breaks down into a few straightforward steps.

How to avoid getting scammed on Venmo

1) Never share private details.

Scammers often pose as customer service reps to pump info out of their victims. They’ll ask for things like bank account info, debit card or credit card numbers, or even passwords and authentication codes sent to your phone. Never share this info. Legitimate reps from legitimate companies like Venmo won’t request it.

2) Know when Venmo might ask for your Social Security number.

In the U.S., Venmo is regulated by the Treasury Department. As such, Venmo might require your SSN in certain circumstances. Venmo details the cases where they might need your SSN for reporting, here on their website. Note that this is an exception to what we say about sharing SSNs and tax ID numbers. As a payment app, Venmo might have legitimate reasons to request it. However, don’t send this info by email or text (any email or text that asks you to do that is a scam). Instead, always use the mobile app by going to Settings  –> Identity Verification.

3) Keep an eye out for scam emails and texts.

Venmo always sends communications through its official “venmo.com” domain name. If you receive an email that claims to be from Venmo but that doesn’t use “venmo.com,” it’s a scam. Never click or tap on links in emails or texts supposedly sent by Venmo.

4) Be suspicious of the messages you get. Imposters are afoot.

Another broad category of scams includes people who aren’t who they say they are. In the case of Venmo, scammers will create imposter accounts that look like they might be a friend or family member but aren’t. If you receive an unexpected and likely urgent-sounding request for payment, contact that person outside the app. See if it’s really them.

5) When sending money, keep an eye open for alerts from the app.

Just recently, Venmo added a new feature, dynamic alerts, which helps protect people when sending money via the “Friends and Family” option. It pops up an alert if the app detects a potentially fraudulent transaction and includes info that describes the level of risk involved. In the cases of highly risky payments, Venmo might decline the transaction altogether. This adds another level of protection to Friends and Family payments, which are non-refundable in cases of fraud. Further, this underscores another important point about using Venmo: only pay people you absolutely know and trust.

More ways to stay safe on Venmo

Keep your transactions private. Venmo has a social component that can display a transaction between two people and allow others to comment on it. Payment amounts are always secret. Yet you have control over who sees what by adjusting your privacy settings:

• Public – Everyone on the internet can see and comment on the transaction.
• Friends – Only your Venmo friends and the other participant’s friends can see and comment on the transaction. (Note that the friends of the other participant might be strangers to you, so “friends and friends of friends” is more accurate here.)
• Private – Here, only the participants can view and comment on the transaction.

This brings up the question, what if the participants in the transaction have different privacy settings? Venmo uses the most restrictive one. So, if you’re paying someone who has their privacy set to “Public” and you have yours set to “Private,” the transaction will indeed be private.

We suggest going private with your account. The less financial information you share, the better. You can set your transactions to private by heading into the Settings of the Venmo app, tapping on Privacy, and then selecting Private.

In short, just because something is designed to be social doesn’t mean it should become a treasure trove of personal data about your spending habits.

Add extra layers of security. Take extra precautions that make it difficult for others to access your Venmo app.

• First off, lock your phone. Whether with a PIN or other form of protection, locking your phone prevents access to everything you keep on it, which is important in the case of loss or theft. Our own research found that only 58% of adults take the vital step of locking their phones. If you fall into the 42% of people who don’t, strongly consider changing that.
• Within the Venmo app, you can also enable Face ID and a PIN (on iOS) or a PIN and biometric unlock (Android). These add a further layer of security by asking for identification each time you open the app. That way, even if someone gets access to your phone, they’ll still have to leap through that security hurdle to access your Venmo app.
• Use a strong, unique password for your account. That’s a password with at least 13 characters using a mix of cases, numbers, and symbols that you don’t use anywhere else. You can also have a password manager do that work for you across all your accounts.

Keep your online finances even more secure with the right tools

Online protection software like ours offers several additional layers of security when it comes to your safety and finances online.

For starters, it includes Web Protection and Scam Detector that can block malicious and questionable links that might lead you down the road to malware or a phishing scam, such as a phony Venmo link designed to steal your login credentials. It also includes a password manager that creates and stores strong, unique passwords for each of your accounts.

Moreover, it further protects you by locking down your identity online. Transaction Monitoring and Credit Monitoring help you spot any questionable financial activity quickly. And if identity theft unfortunately happens to you, up to $2 million in ID theft coverage & restoration can help you recover quickly.

The post Venmo 101: Making Safer Payments with the App appeared first on McAfee Blog.

Welcome back to another This Week in Scams.

This week,  have attacks that take over Androids and iPhones, plus news that Google has gone on the offensive against phishing websites.

First up, a heads-up for iPhone owners.

The “We found your iPhone” scam

In the hands of a scammer, “Find My” can quickly turn into “Scam Me.”

Switzerland’s National Cyber Security Center (NCSC) shared word this week of a new scam that turns the otherwise helpful “Find My” iOS feature into an avenue of attack.

Now, the thought of losing your phone, along with all the important and precious things you have on it, is enough to give you goosebumps. Luckily, the “Find My” can help you track it down and even post a personalized message on the lock screen to help with its return. And that’s where the scam kicks in.

From the NCSC:

When a device is marked as lost, the owner can display a message on the lock screen containing contact details, such as a phone number or email address. This can be very helpful if the finder is honest – but in dishonest hands, the same information can be used to launch a targeted phishing attack.

With that, scammers send a targeted phishing text, as seen in the sample provided by the NCSC below …

What do the scammers want once you tap that link? They request your Apple ID and password, which effectively hands your phone over to them—along with everything on it and everything else that’s associated with your Apple ID.

It’s a scam you can easily avoid. So even if you’re still stuck with a lost phone that’s likely in the hands of a scammer the point of consolation is that, without your ID, the phone is useless to them.

Here’s what the NCSC suggests:

Ignore such messages. The most important rule is Apple will never contact you by text message or email to inform you that a lost device has been found.

Never click on links in unsolicited messages or enter your Apple ID credentials on a linked website.

If you lose your device, act immediately. Enable Lost Mode straight away via the Find My app on another device or at iCloud.com/find. This will lock the device.

Be careful about which contact details you show on your lost device’s lock screen. For example, use a dedicated email address created specifically for this purpose. Never remove the device from your Apple account, as this would disable the Activation Lock.

Make sure your SIM card is protected with a PIN. This simple yet effective measure prevents criminals from gaining access to your phone number.

Android phone takeover scam

Now, a different attack aimed at Android owners …

A story shared on Fox this week breaks down how a combination of paid search ads, remote access tools, and social engineering have led to hijacked Android phones.

It starts with a search, where an Android owner looks up a bank, a tech support company, or what have you. Instead of getting a legitimate result, they get a link to a bogus site via paid search results that appear above organic search results. The link, and the page it takes them to, look quite convincing, given the ease with which scammers can spin up ads and sites today. (More on that next.)

Once there, they call a support number and get connected to a phony agent. The agent convinces the victim to download an app that will help the “agent” solve their issue with their account or phone. In fact, the app is a remote access tool that gives control of the phone, and everything on it, to the scammer. That means they can steal passwords, send messages to friends, family, or anyone at all, and even go so far as to lock you out.

Basically, this scam hands over one of your most precious possessions to a scammer.

Here’s how you can avoid that:

Skip paid search results for extra security. That’s particularly true when contacting your bank or other companies you’re doing business with. Look for their official website in the organic search results below paid ads. Better yet, contact places like your bank or credit card company by calling the number on the back of your card.

Get a scam detector. A combination of our Scam Detector and Web Protection can call out sketchy links, like the bogus paid links here. They’ll even block malicious sites if you accidentally tap a bad link.

Never download apps from third-party sites outside of the Google Play Store. Google has checks in place to spot malicious apps in its store.

Lastly, never give anyone access to your phone. No bank rep needs it. So if someone on a call asks you to download an app like TeamViewer, AnyDesk, or AirDroid, it’s a scam. Hang up.

Beyond that, you can protect yourself further by installing an app like our McAfee Security: Antivirus VPN. You can pick it up in the Google Play store, which also includes our Scam Detector and Identity Monitoring. You can also get it as part of your McAfee+ protection.

Google takes aim at phishing scams with a lawsuit against an alleged criminal organization

Just Wednesday, Google took a first step toward making the internet safer from bogus sites, per a story filed by National Public Radio.

A lawsuit alleges that a China-based company called “Lighthouse” runs a “Phishing-as-a-Service” operation that outfits scammers with quick and easy tools and templates for creating convincing-looking websites. According to Google’s general counsel, these sites could “compromise between 12.7 and 115 million credit cards in the U.S. alone.”

The suit was filed in the U.S. District Court in the Southern District of New York, which, of course, has no jurisdiction over a China-based company. The aim, per Google’s counsel, is deterrence. From the article:

“It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure,” she said, without naming which platforms or services Google might focus on. “Even if we can’t get to the individuals, the idea is to deter the overall infrastructure in some cases.”

We’ll keep an eye on this case as it progresses. And in the meantime, it’s a good reminder to get Scam Detector and Web Protection on all your devices so you don’t get hoodwinked by these increasingly convincing-looking scam sites.

Again, scammers can roll them out so quickly and easily today.

And now for a quick roundup …

Here’s a quick list of a few stories that caught our eye this week:

Alarmingly realistic deepfake threats now target banks in South Africa

Nearly 80% of parents fear their kids will fall for an AI scam, but they aren’t sure how to talk about it

Hyundai data breach exposes 2.7 million Social Security numbers

 

And that’s it for this week! We’ll see you next Friday with more updates, scam news, and ways you can stay safer out there.

The post This Week in Scams: New Alerts for iPhone and Android Users and a Major Google Crackdown appeared first on McAfee Blog.

Trojan horse malware was recently in the news after researchers discovered that an email contained an innocent-looking .pdf file attachment. CSO Online magazine reported that when the attachment was clicked, a permission request popped up and the email recipient clicked “allow,” initiating the document download and save, and executing the malware.

Trojans continue to be one of the most widespread cyberthreats globally, accounting for 58% of all malware as reported by Dataprot.net, as criminals adapt their methods to bypass advancing security measures. But all is not lost. In this guide, we will take a closer look at how you can detect Trojans on your computer, and share ways to detect and remove them.

What is a Trojan?

A Trojan, often called a Trojan horse, is a type of malicious software that disguises itself as a legitimate program to deceive you into installing it on your device. Its name is taken from the story of Odysseus who hid his Greek soldiers inside a wooden gift horse to infiltrate the city of Troy.

While the term “Trojan virus” is commonly used, a Trojan is not technically a virus. Both are types of malware, but they behave differently. A virus is a piece of code that attaches itself to other programs and, when run, replicates itself to spread to other files and systems. A Trojan, however, is a standalone program that cannot self-replicate. It relies entirely on tricking the user into downloading and executing it.

From their beginnings in the 1980s as simple social engineering tricks with limited technical sophistication, modern Trojans have dramatically transformed to become multi-stage campaigns that use legitimate-looking emails, fake software updates, and compromised websites to deliver malware that can remain undetected for months. Recently, Trojan attacks have exploited the supply chain to target software vendors directly, allowing criminals to distribute the malware through channels that consumers trust.

The dangers that Trojans bring

The dangers of a Trojan are extensive, ranging from direct financial loss to a complete invasion of your privacy. Once a Trojan enters your PC, cybercriminals can steal sensitive credentials for your banking and credit card accounts, leading directly to theft. They can also access and exfiltrate personal files, photos, and documents, creating a serious privacy exposure.

Beyond theft, an attacker can use this access to take complete control of your device. They might install other types of malware like ransomware or spyware, use your computer as part of a botnet to attack others, or simply monitor your every keystroke. This total loss of device control and privacy is one of the biggest dangers. However, these risks are manageable if caught early. This demonstrates the importance of layered protection with real-time monitoring and community intelligence. As cybercrime attack methods evolve, your security needs to adapt, too.

Methods of spreading Trojans

• Phishing emails: These legitimate-looking emails contain malicious attachments or links that, when opened, install the Trojan. To avoid getting infected, never open attachments from unsolicited sources.
• Cracked software: Websites offering free versions of paid software often bundle Trojans with the download. That “free” software could cost you everything. View such offers with a healthy dose of skepticism. Always use legitimate, official software.
• Fake updates: Pop-ups pretending to be legitimate updates for software like Adobe Flash Player can trick you. If you wish to update your software, it is best to go directly to the official website.
• Malvertising: Malicious ads on legitimate websites can redirect you to pages that automatically download malware. When these online ads pop-up, be cautious about clicking them.

The Trojan invasion process

A Trojan infection follows a stealthy, multi-stage process. The delivery stage begins with a lure, where social engineering tactics, such as a convincing email or a free software offer, trick you into downloading and opening a malicious file. In the execution stage, you run the seemingly harmless program and unknowingly trigger the Trojan’s installation. The malware then often embeds itself into your system’s startup processes to ensure it persistently runs every time you turn on your PC. From there, it connects to a remote command-and-control server operated by the attacker, awaiting instructions for its malicious actions, such as stealing your credentials or monitoring your activity.

Types of Trojan malware

Trojans come in different forms, each with their own process of attack. Here are some of them:

• Backdoor Trojans: These create a hidden backdoor, bypassing normal authentication measures. These backdoors often remain hidden for long periods, allowing attackers to steal files, or install additional malware without your knowledge.
• Keylogger Trojans: Once installed, these Trojans remotely control your PC persistently, recording your keyboard strokes to capture passwords, accessing your files, and taking screen captures.
• Banker Trojans: As the name suggests, these Trojans are designed to steal your login credentials for online banking, payment systems, and credit card accounts. They work by hijacking browser sessions, injecting fake login pages, or capturing keystrokes to steal your credentials and manipulate your transactions.
• Downloader Trojans: These Trojans act as delivery mechanisms for other malware. One type—downloaders—connect to remote servers to fetch additional malicious payloads after initial infection. Another type known as droppers carry other malware within their code and deploy it directly upon execution.
• DDoS Trojans: They turn infected computers into zombie-like “bots” that participate in Distributed Denial-of-Service attacks that overwhelm and crash websites, servers, and online services, causing outages or financial damage.
• Scareware or fake antivirus Trojans: This type of malware mimics legitimate security software, showing fake virus alerts to scare you into paying for a “premium” but useless version or further compromise the device.

Real-life Trojan attacks

• Banking credential theft: The Zeus Trojan family spread through fake banking emails with links to infected websites. Once installed, it secretly captured online banking passwords and credit card details as users typed them. This led to millions of dollars in stolen funds and compromised accounts worldwide, forcing banks to implement stronger authentication measures.
• Corporate data exfiltration: Emotet initially appeared as urgent invoice attachments and shipping notifications in business emails. After infection, it silently collected email contacts, login credentials, and sensitive documents from corporate networks. Companies faced significant data breaches, regulatory fines, and damaged customer trust as their confidential information was sold on criminal marketplaces.
• Botnet recruitment: The Mirai Trojan targeted smart home devices by exploiting default login credentials on routers and security cameras. Infected devices became part of massive botnets used to launch devastating attacks that temporarily shut down major websites and services, while users were oblivious that their gadgets were being used for cyberattacks.
• Multi-stage attacks: TrickBot masqueraded as software updates and legitimate business documents. Aside from stealing banking information, it installed ransomware that encrypted entire networks. Organizations faced operational shutdowns, hefty ransom demands, and costly recovery efforts that sometimes took months to complete.

By understanding the signs of a Trojan virus presence on your computer and using comprehensive security software, you dramatically reduce the danger and protect your digital life.

Signs of Trojan presence on your PC

A Trojan attack isn’t just a single event; it’s the entire process a cybercriminal uses to trick you into running malicious software. Recognizing the early warning signs is key. Here are some of the most common cues that can help you know if you have a Trojan virus attack in progress.

• Slower than usual computer performance: Trojans tend to install additional malware that consumes computer processing units and memory resources. This can significantly slow your computer down and cause your operating system to become unstable and sluggish.
• Unauthorized apps appear: A common symptom of Trojan infection is the sudden appearance of apps you don’t recall downloading or installing. If you notice an unfamiliar app from an unverified developer in your Windows Task Manager, there’s a good chance that it is malicious software installed by a Trojan.
• Operating system crashes and freezes: Trojans can overwhelm your system and cause recurring crashes and freezes. An example of this is the Blue Screen of Death, a Windows error screen that means the system can no longer operate due to hardware failure or the termination of an important process.
• Frequent browser redirects: A Trojan can manipulate your browser or modify domain name system settings to redirect the user to malicious websites. Frequent redirects are a red flag, so you should scan your computer the moment you notice an uptick in these redirect patterns.
• Aggressive popups: If you’re noticing more pop-up ads than usual, especially those claiming your web browser or a media player is out of date, there’s a strong possibility that a Trojan has installed a malicious adware program on your PC. These fake alerts trick you into installing the Trojan instead of a real update.
• Disabled security and other software. Trojans can interfere with applications and prevent them from running. A common mid-attack behavior is the Trojan deactivating your browser, apps such as word processing and spreadsheet software, or your antivirus or firewall, it’s a major red flag.
• Unexpected password requests: The Trojan may display a fake system prompt asking you to re-enter your computer password or credentials for an online account, which it then captures.
• Constant, unexplained network activity: Your computer’s internet connection may seem unusually busy even when you’re not using it. This could be the Trojan communicating with a remote server.

Recognizing these signs early allows you to act quickly. If something feels off, trusting your instinct and running a scan can help you find and contain a threat before it does significant harm.

4 best ways to check for a Trojan on your PC

If you’re noticing any of the symptoms above, it’s time to investigate further using automated tools and manual checks. A layered approach is the best way to find and confirm a Trojan infection. To get started, follow the steps below:

1. Scan your PC

The first step is to scan your PC using an antivirus software. Plenty of scan options are available on the market offering real-time protection from all types of malicious software threats, including viruses, rootkits, spyware, adware, ransomware, and Trojans. Some even feature on-demand and scheduled scanning of files and apps, advanced firewall for home network security, and compatibility with Windows, macOS, Android, and iOS devices.

2. Search for Trojans while in safe mode

The next step is to search for Trojans while your computer is in safe mode. In this phase, your device will run only the basic programs needed for Microsoft Windows operation, making it easy to spot any unfamiliar or suspicious programs. Here’s how to do it:

1. Type “MSCONFIG.” in the search bar from the Start menu.
2. Click on the “Boot” tab in the System Configuration box.
3. Tick “Safe Mode” and click “Apply,” then “OK.”
4. After the system restarts, re-open the configuration box.
5. Click on “Startup.”
6. Examine the list and see if there are any suspicious files.
7. Disable any you deem suspicious.

3. Check processes in Windows Task Manager

Another effective way to detect if Trojans are in your system is to check the processes running in Windows Task Manager. This will allow you to see if there are any unfamiliar and unauthorized malicious programs or suspicious activity.

To go to the Task manager, press Ctrl+Alt+Del and click on the “Processes” tab. Review the list of active applications and disable the apps without verified publishers or ones you don’t remember downloading and installing.

4. Scan with Windows security

You can also scan your PC using built-in Windows virus and threat protection tools. Microsoft Defender (called Windows Defender Security Center in older versions of Windows 10) can perform virus scans and detect various types of malware. These are the parts to note:

Windows’ built-in security, known as Microsoft Defender, is a capable tool that can detect and remove many common Trojans. For basic protection, it provides a solid first line of defense and is far better than having no security at all. It handles known threats well and is constantly updated by Microsoft.

However, a dedicated security suite offers more comprehensive, layered protection. This goes beyond simple malware removal to include advanced features like a robust firewall, real-time phishing protection that blocks malicious websites before they load, identity safeguards, and a VPN for secure browsing. These layers work together to stop threats *before* they can infect your PC, which is always better than removing them after the fact.

Think of it as the difference between a standard lock on your door and a full home security system. For everyday, low-risk browsing, the built-in tool may be enough. But for anyone who banks, shops, or shares personal information online, the added protection of a full security suite provides essential peace of mind against a wider range of threats.

Remember to check your network

Most Trojans communicate with a remote command-and-control server to receive instructions or send stolen data through your internet connection. By monitoring your network activity, you can spot these hidden connections early. Unusual outbound traffic, unfamiliar IP addresses, or constant background data transfers are all red flags that something malicious might be operating behind the scenes.

• Monitor active connections: Use the Resource Monitor tool in Windows (resmon.exe) to see which applications are using your network. Look for any unfamiliar processes making outbound connections.
• Verify DNS and proxy settings: In your Windows network settings, check that your DNS server and proxy settings haven’t been changed. Trojans often alter these to redirect your traffic through malicious servers.
• Firewall logs: Firewall logs can show repeated attempts by a specific program to connect to the internet, which is a strong indicator of a Trojan trying to communicate with its operator.

Choose the best Trojan scanner & removal tool

If you’re in the market for a tool that scans and removes Trojans, you have the option of free or premium tools. Whichever you choose, the key is to act quickly but carefully before the Trojan can cause any lasting damage.

Free tools are a great step

A free scan is the perfect first step to determine if you have a Trojan virus on your system. These no-cost tools provide an immediate way to detect potential threats and give you peace of mind about your PC’s security status.

Free Trojan scanners work by examining your system files, running processes, and common hiding spots where malware typically lurks. They check for known Trojan signatures, suspicious file behaviors, and registry modifications that indicate a possible infection. While they may not catch every advanced threat, they’re excellent for identifying common Trojans and giving you a clear starting point.

Simple steps to run your free scan

1. Choose your scanner: Download a reputable free scanning tool from a trusted security provider’s official website. Ensure your scanner has the latest threat definitions for maximum effectiveness.
2. Close other programs: Restart your PC in Safe Mode and close any unnecessary applications to improve scan performance and accuracy.
3. Run a full system scan: Make sure you select the free tool’s comprehensive scan option to check all files, not just a quick scan.
4. Review the results: Carefully examine any detected threats, noting their names and file locations. When threats are found, most free scanners will categorize them by risk level and provide recommended actions.
5. Take action on findings: Quarantine or delete identified threats as recommended by the scanner. High-risk items should be immediately quarantined or deleted, while suspicious files may need further analysis. Be careful as some legitimate files can occasionally trigger false positives.
6. Restart and rescan: Reboot your PC and run another scan to confirm that the Trojan or any threat was completely removed.

Free scanning tools give you valuable insight into your system’s health and serve as an excellent diagnostic tool to check Trojan presence. However, they typically offer detection and removal only, without the real-time protection needed to prevent future infections.

Comprehensive scanning with McAfee antivirus

For comprehensive security that stops threats before they can infect your system, consider upgrading to a complete security solution that provides continuous monitoring and advanced threat protection. Modern antivirus suites like McAfee Total Protection are expertly designed to detect and block Trojans. They use a layered security model that includes signature detection to identify known malware, behavioral analysis to spot suspicious activities characteristic of a Trojan, and artificial intelligence to protect against the very latest threats. Real-time protection actively scans files as you access them, while scheduled and manual scans allow you to thoroughly check your entire system for any hidden malware.

McAfee software is especially effective when it comes to scanning for Trojans and other types of malware and removing them before they can cause any damage to your computer system. With real-time, on-demand, and scheduled scanning of files and applications at your disposal, we’ll help you detect and eliminate any emerging threat in a timely manner.

Remove the Trojan from any platform

In any computer platform—Windows or macOS—the process of scanning and removing a Trojan with McAfee software is similar and absolutely achievable. These steps will help you regain control of your device:

1. Disconnect your PC: Unplug your ethernet cable or turn off Wi-Fi to stop the Trojan from communicating online.
2. Reboot in Safe Mode: Restart your computer in Safe Mode to prevent most malware from loading.
3. Run a full antivirus scan: Use a trusted tool like McAfee to run a complete scan and quarantine or delete any threats it finds.
4. For Mac: Run a full system scan with trusted security software designed for this device.
5. Reset your browsers: Return your web browsers to their default settings to remove any malicious or unfamiliar extensions or changes. Update macOS to the latest version to patch security vulnerabilities.
6. Reboot and rescan: Restart your PC normally and run another full scan to confirm the Trojan is completely gone.
7. Change all your passwords: Once your computer is clean, immediately change passwords for your email, banking, and other important accounts.

Once you’ve completed the removal process, strengthen your defenses by enabling automatic updates, using reputable security software, and being cautious about downloads and email attachments. Regular system scans and keeping your software current are your best protection against future infections. With these steps, you can confidently clean your devices and prevent repeat attacks.

Quick tips to prevent a Trojan virus invasion

• Keep software updated: Enable automatic updates for your operating system, web browser, and applications to patch security vulnerabilities.
• Scrutinize emails: Do not open attachments or click links from unknown or suspicious senders. Verify requests for information.
• Use strong, unique passwords: Employ a password manager to create and store complex passwords for each of your online accounts.
• Enable a firewall: Ensure your network firewall is active to monitor and control incoming and outgoing network traffic.
• Backup data regularly: Keep regular backups of your important files so you can restore them in case of a ransomware attack or data corruption.
• Avoid risky downloads: Only download applications from official websites and trusted app stores.
• Enable multi-factor authentication (MFA): Add this extra security layer to your important online accounts.
• Use real-time protection: Ensure a comprehensive security suite like McAfee is always running to detect threats instantly.

FAQs about Trojans

What is a Trojan horse?

A Trojan is malware that disguises itself as a legitimate file or program. Once you run it, it can perform malicious actions such as stealing data or giving an attacker remote control of your PC.

How does a Trojan spread?

Trojans don’t spread on their own. They rely on you to download and run them. This often happens through phishing emails with fake attachments, malicious ads, or downloads of cracked software.

Can Macs and phones get infected by Trojans?

Yes. While less common than on Windows PCs, Trojans exist for all major operating systems, including macOS, Android, and iOS. It’s crucial to only install apps from official app stores to stay safe.

What is the quickest way to check for a Trojan?

The fastest and most reliable method to check for a Trojan in your computer is to run a full system scan with a trusted antivirus program. This will check all files and running processes for known threats.

How long does it take to remove a Trojan?

Removal time can vary. A good antivirus scan might find and remove it in under an hour. However, some complex Trojans may require more steps, like booting into Safe Mode, which can take longer.

What should I do immediately after removing a Trojan?

Once your system is clean, the first thing you should do is change the passwords for all your important accounts, especially email, banking, and social media, as the Trojan may have stolen them.

Final thoughts

Wondering if your computer has been infected by a Trojan can be worrying, but it’s a manageable issue with the right approach. By understanding the signs of a Trojan virus and using the detection methods outlined, you can take back control of your device’s security. To prevent getting infected by a Trojan, proactive measures such as safe online habits and the layered defense of a trusted security suite like McAfee are your best defenses. Stay vigilant and keep your software updated, so you can confidently navigate the digital world.

The post Best Ways to Check for a Trojan on Your PC appeared first on McAfee Blog.

The holidays are supposed to be about joy and generosity — but this year, they’re also peak season for AI-powered scams. New research from McAfee, a global leader in online protection, shows how fraudsters are using artificial intelligence to create more convincing lures — from deepfake endorsements to cloned delivery messages — as Americans head online to shop.

US – Holiday Shopping 2025 Fact Sheet 

The post Holiday Shopping 2025: US Fact Sheet  appeared first on McAfee Blog.

We’re back with a new edition of “This Week in Scams,” a roundup of what’s current and trending in all things sketchy online.

This week, we have fake steaks, why you should shop online with a credit card, and a new and utterly brash form of debit card fraud.

Fake steaks from “0maha Steaks”

Yes, the letter “O” for Omaha in the subject line of this email scam is actually a zero. And that’s not the only thing that’s off with this email, it’s a total scam.

 

If you like your choice cuts, the name Omaha Steaks might be a familiar one. They’ve been around for almost 110 years, and since 1953 they’ve been in the mail order meat business. Today, they sell, well, just about anything you can picture in the butcher or seafood case. With that, the company enjoys a premium reputation, so it’s little surprise scammers have latched onto it and built a phishing attack around the brand—one they garnish with a nod to concerns over rising food prices.

A few things can quickly tip you off to this scam. For starters, the scammers oddly spell Omaha with a zero in the subject line, as mentioned. From there, the sender’s email address is a straight ref flag. In this case, it’s the curiously spelled “steaksamplnext” followed by a (redacted) domain name that isn’t the legitimate omahasteaks dot-com address. Also curious is the lack of an actual price for the bogus “Gourmet Box.” And lastly, you might think that a premium foods brand would showcase some pictures of their famous fare in the email. Not so here.

Rounding it out, you’ll see the classic scammer tactics of scarcity and urgency, which scammers hope will pressure people to act immediately. In this case, only 500 of these supposed boxes are available, and the offer “concludes tomorrow.”

How to avoid Omaha Steak scams and phishing scams like them

Even as this scam makes the rounds, it’s easy to spot if you give it a closer look and a little thought—giving it a sort of old-school feel to it. However, more and more of today’s phishing emails look increasingly legit, thanks to AI tools, which might get you to click.

As for phishing attacks like this in general, you can protect yourself by:

Always checking the email address of the sender. If it doesn’t match the proper address of the company or brand that’s supposedly sending the email, it’s a scam. In this case, from the people at Omaha Steaks themselves, “If it doesn’t show OmahaSteaks.com and @OmahaSteaks, it’s not us!”

Looking for addresses and links that look like they’ve been slightly altered so that they seem “close enough” to the real thing. In this case, the scammer didn’t even bother to try. However, you could expect an alteration like “omahasteakofferforyou.com” to try and look legit.

Getting a scam detector. Our Scam Detector, found in all core McAfee plans, helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. It’ll also block those sites if you accidentally tap or click on a bad link.

One good reason for using your credit card when shopping online.

What’s the most common kind of fraud? If you said, “credit card,” you’ll find it number five on the list. The top form is debit cards, according to 2025 findings from the U.S. Federal Reserve.

As reported by financial institutions, the Fed found that attempts at debit card fraud rose to 73% with 52% of those attempts being successful.

The post This Week in Scams: Fake Steaks and Debit Card Porch Pirates appeared first on McAfee Blog.

Football season is in full swing — tailgates, rivalries, fantasy leagues, and Sunday afternoons glued to the screen. Alongside the highlights and heartbreaks, there’s another game playing out online: the rush to place bets.

Every break in the action brings another sportsbook promo — risk-free wagers, bonus bets, exclusive odds — flooding your feed and inbox. But what you don’t see between the ads and sponsorships is how much money is really in play, or how scammers have joined the lineup.

Last year, legally licensed online and retail sportsbooks took nearly $150 billion in bets, a 22.2% jump from 2023 according to the American Gaming Association. And with so much of that money flowing through apps and websites, scammers are finding creative new ways to cash in.

They’re setting up fake betting sites, phishing for logins, and spinning up unlicensed offshore platforms that operate without oversight. Even self-proclaimed “insider tipsters” are pitching guaranteed wins that never exist.

If sports betting is legal in your state and you’re planning to make some wagers this season, here’s how to keep your money — and your data — safe.

Is online sports betting legal in my state?

Since a U.S. Supreme Court ruling in 2018, individual states can determine their own laws for sports betting. Soon after, sports betting became legal in waves. In all, 39 states and Washington D.C. currently offer sports betting through licensed retail locations. Of them, 31 further offer legal sports betting through licensed online apps and websites. The map below offers a quick view as to how all that plays out.

Image from https://sportsdata.usatoday.com/legality-map 

Even as online sportsbooks must be licensed to operate legally, be aware that the terms and conditions they operate under vary from service to service. Per the Better Business Bureau (BBB), that calls for closely reading their fine print. For one, you might come across language that says the company can “restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, because “like any sales pitch, these can be deceptive.”

What do online betting scams look like?

Fake betting sites

This form of scam follows the same playbook scammers use for all kinds of bogus sites in general. They cook up a copycat site that looks like a legitimate betting site, create a web address that looks like it could be legitimate, and then flood the web with sponsored search results, ads, and social media posts to drive traffic to them. From there, scammers capture payment info and take bogus bets that they never pay out on. Once the site gets discovered as a scam, they pull it down and spin up other scam sites. With the aid of AI tools to help with the process, scammers can turn around scam sites quickly.

Sports app phishing scams

Scammers piggyback on legitimate betting apps and sites another way. They’ll create phony customer support sites that they promote online, with the addition of scam texts and emails to lure in victims. Under the guise of support, they gain a victim’s login info, hack the account, and clean out the victim’s cash.

Unlicensed offshore platforms

These form a gray area when it comes to scams. Some of these offshore platforms, while unlicensed, are legitimate to varying degrees. What makes them dangerous is that they have no regulatory oversight, which means they can do things like charge hidden costs, lock accounts, and refuse payment without users having any way to dispute those actions. Some of these platforms might have suspect security measures as well, which could lead to account hacks. And of course, some of these offshore platforms are simply fake betting sites, as mentioned above.

Handicapper scams

Earlier this year, the BBB shared word of a growing scam where self-proclaimed experts with “insider information to place sure-thing bets” reach out to victims via email and social media posts. Per the BBB, “A handicapper’s goal isn’t to win bets for their members, it’s to get people to buy their picks. Once you’ve purchased their picks, the handicapper has already won. It doesn’t matter if the pick wins or loses, the handicapper keeps the payment.”

Of course, that “insider info” is entirely fake. It’s all just a smokescreen to draw in victims.

Ready to place your bet online? Keep these things in mind.

1) Stick with legitimate betting sites and apps. Use only legal, regulated sportsbooks when you place a bet.

If you’re a sports fan, you probably know the names, like BetMGM, DraftKings, FanDuel, bet365 and Fanatics Sportsbook. In addition, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of customer ratings, complaints registered against the organization, and the organization’s response to the complaints, along with its BBB rating, if it has one.

2) Use a secure payment method other than your debit card. Credit cards are a good way to go when buying, or betting, online.

One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have its own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act.

3) Protect yourself from fake betting sites and bogus offers.

You can steer clear from all kinds of fake sites and bogus offers with the combination of our Web Protection and Scam Detector, found in our McAfee+ plans. They’ll alert you if a link might take you to a sketchy site, and they’ll block those sites if you accidentally tap or click on a bad link.

In addition to the latest virus, malware, spyware, and ransomware protection, it also includes strong password protection by generating and automatically storing complex passwords to keep your winnings and payment info safer from hackers and crooks.

 

Editor’s Note:

If gambling is a problem for you or someone you know, you can seek assistance from a qualified service or professional. Several states have their own helplines, and nationally you can reach out to resources like http://www.gamblersanonymous.org/ or https://www.ncpgambling.org/help-treatment/.

The post Kickoffs and Rip-offs—Watch Out for Online Betting Scams This Football Season appeared first on McAfee Blog.

by Harshil Patel and Prabudh Chakravorty

*EDITOR’S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.

Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.

McAfee’s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.

Key Findings 

• McAfee recently discovered a new Astaroth campaign abusing GitHub to host malware configurations. 
• Infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system. 
• Astaroth detects when users access a banking/cryptocurrency website and steals the credentials using keylogging.  
• It sends the stolen information to the attacker using the Ngrok reverse proxy. 
• Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight. 
• The GitHub repositories were reported to GitHub and are taken down. 

Key Takeaways  

• Don’t open attachments and links in emails from unknown sources. 
• Use 2 factor authentication (2FA) on banking websites where possible. 
• Keep your antivirus up to date. 

Geographical Prevalence 

Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy. 

But in the recent campaign, it seems to be largely focused on Brazil. 

Figure 1: Geographical Prevalence 

 

Conclusion 

Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations. 

 

Technical Analysis 

Figure 2 : Infection chain 

 

Phishing Email 

The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file. 

Figure 3: Phishing Email

Figure 4: Phishing Email

Figure 5: Phishing Email

 

JavaScript Downloader 

The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe. 

 

This command simply fetches more javascript code from the following URL: 

 

To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography. 

The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server: 

Figure 6: Downloaded Files

Here,  

”Corsair.Yoga.06342.8476.366.log” is  AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter, 

“stack.tmp” is an encrypted payload (Astaroth), 

 and “dump.log” is an encrypted malware configuration. 

AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process. 

 

Shellcode Analysis 

Figure 7: AutoIt script building shellcode

The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory. 

To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint. 

Figure 8: Hooking LocalCompact API 

 
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory. The API addresses are stored in a jump table at the very beginning of the shellcode memory. 

Figure 9: APIs resolved by shellcode 

 

Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process. 

 

Payload Analysis 

The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed. 

It checks for the following tools in the system: 

Figure 10: List of analysis tools 

 

It also makes sure that system locale is not related to the United States or English. 

Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes. 

Figure 11: Hooking keyboard events 

Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.

Many banking-related sites are targeted, some of which are mentioned below:
caixa.gov.br 

safra.com.br 

Itau.com.br 

bancooriginal.com.br 

santandernet.com.br 

btgpactual.com 

 

We also observed some cryptocurrency-related sites being targeted: 

etherscan.io 

binance.com 

bitcointrade.com.br 

metamask.io 

foxbit.com.br 

localbitcoins.com 

 

C2 Communication & Infrastructure 

The stolen banking credentials and other information are sent to C2 server using a custom binary protocol. 

Figure 12: C2 communication  

 

Astaroth’s C2 infrastructure and malware configuration are depicted below. 

Figure 13: C2 infrastructure 

Malware config is stored in dump.log encrypted, following is the information stored in it: 

Figure 14: Malware configuration 

 

Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image. 

hxxps://bit[.]ly/4gf4E7H —> hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png 

Image file keeps the configuration hidden by storing it in the following format:

We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down. 

Persistence Mechanism  

For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.  

McAfee Coverage 

McAfee has extensive coverage for Astaroth: 

Trojan:Shortcut/SuspiciousLNK.OSRT 

Trojan:Shortcut/Astaroth.OJS 

Trojan:Script/Astaroth.DL 

Trojan:Script/Astaroth.AI 

Trojan:Script/AutoITLoader.LC!2 

Trojan:Shortcut/Astaroth.STUP 

Indicator Of Compromise(s) 

IOC	Hash / URL
Email	7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945
ZIP URL	https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip
LNK	34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df
JS Downloader	28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c
Download server	clafenval.medicarium[.]help sprudiz.medicinatramp[.]click frecil.medicinatramp[.]beauty stroal.medicoassocidos[.]beauty strosonvaz.medicoassocidos[.]help gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]help brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]beauty blojannindor0.trovaodoceara[.]motorcycles
AutoIT compiled script	a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b
Injector dll	db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34
payload	251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195
Startup LNK	049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43
C2 server	1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080
Config update URL	https://bit[.]ly/49mKne9 https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png
GitHub Repositories hosting config images	https://github[.]com/dridex2024/razeronline  https://github[.]com/Config2023/01atk-83567z  https://github[.]com/S20x/m25  https://github[.]com/Tami1010/base  https://github[.]com/balancinho1/balaco  https://github[.]com/fernandolopes201/675878fvfsv2231im2  https://github[.]com/polarbearfish/fishbom  https://github[.]com/polarbearultra/amendointorrado  https://github[.]com/projetonovo52/master  https://github[.]com/vaicurintha/gol

 

The post Astaroth: Banking Trojan Abusing GitHub for Resilience appeared first on McAfee Blog.

While Apple goes to great lengths to keep all its devices safe, this doesn’t mean your Mac is immune to all computer viruses. What does Apple provide in terms of antivirus protection? In this article, we will discuss some signs that your Mac may be infected with a virus or malware, the built-in protections that Apple provides, and how you can protect your computer and yourself from threats beyond viruses.

What is a Mac virus?

A computer virus is a piece of code that inserts itself into an application or operating system and spreads when that program is run. While viruses exist, most modern threats to macOS come in the form of other malicious software, also known as malware. While technically different from viruses, malware impacts your Mac computers similarly: it compromises your device, data, and privacy.

Macs are not invulnerable to being hacked

While Apple’s macOS has robust security features, it’s not impenetrable. Cybercriminals can compromise a Mac through several methods that bypass traditional virus signatures. Common attack vectors include software vulnerabilities, phishing attacks that steal passwords, drive-by downloads from compromised websites, malicious browser extensions that seem harmless, or remote access Trojans disguised as legitimate software.

Common types of viruses and malware

Understanding the common types of viruses and malware that target macOS can help you better protect your device and data. Here’s a closer look at the most prevalent forms of malware that Mac users should watch out for.

• Adware and potentially unwanted programs (PUPs): These programs hijack your browser, alter your search engine, and bombard you with pop-up ads, severely impacting performance and privacy.
• Trojans: Disguised as legitimate software, such as fake Adobe Flash Player installers or system optimization tools, trojans create a backdoor on your Mac for attackers to steal data, install other malware, or take control of your device.
• Spyware and keyloggers: This malicious software operates silently in the background, recording your keystrokes, capturing login credentials, and monitoring your activity to steal sensitive personal and financial information.
• Ransomware: A particularly damaging threat, ransomware encrypts your personal files, photos, and documents, making them inaccessible. Attackers then demand a hefty ransom payment for the decryption key.
• Cryptominers: This malware hijacks your Mac’s processing power to mine for cryptocurrencies like Bitcoin. It doesn’t steal data but can cause extreme slowdowns, overheating, and increased electricity usage.

Signs that your Mac may be hacked

Whether hackers physically sneak it onto your device or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, viruses and malware can create problems for you in a couple of ways:

Performance issues

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? These are all signs that you could have a virus or malware running in the background, zapping your device’s resources.

Your computer heats up

Malware or mining apps running in the background can burn extra computing power and data, causing your computer to operate at a high temperature or overheat.

Mystery apps or data

If you find unfamiliar apps you didn’t download, along with messages and emails that you didn’t send, that’s a red flag. A hacker may have hijacked your computer to send messages or to spread malware to your contacts. Similarly, if you see spikes in your data usage, that could be a sign of a hack as well.

Pop-ups or changes to your screen

Malware can also be behind spammy pop-ups, unauthorized changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your computer has been hacked.

Browser redirects

Your browser’s homepage or default search engine changes without your permission, and searches are redirected to unfamiliar sites. Check your browser’s settings and extensions for anything you don’t recognize.

Disabled security features

Your antivirus software or macOS firewall is disabled without your action. Some viruses or malware are capable of turning off your security software to allow them to perform their criminal activities.

Check your Mac for viruses and malware

Fortunately, there are easy-to-use tools and key steps to help you validate for viruses and malware so you can take action before any real damage is done.

1. Check activity monitor: Navigate to Applications > Utilities > Activity Monitor and look for any unknown processes using a disproportionate amount of CPU or memory. A quick web search can help identify if a suspicious process is malicious.
2. Review login items: Go to System Settings > General > Login Items. Check the “Open at Login” and “Allow in the Background” sections for any apps you don’t recognize and disable them.
3. Inspect system profiles: In System Settings > Privacy & Security, scroll down to “Profiles.” If you see any profiles you did not intentionally install, aside from those for work or school, remove them.
4. Audit browser extensions: Open your web browsers and review installed extensions. Remove any that you did not add or no longer use.
5. Run a security scan: The most reliable method is to use a dedicated security application. Run a full system scan with a trusted program to detect and remove any malware that manual checks may have missed.
6. Update everything: Ensure your macOS and all installed applications are up to date. Updates frequently contain critical security patches that protect against known vulnerabilities exploited by hackers.

Built-in antivirus solution

Macs contain several built-in features that help protect them from viruses:

• XProtect and quarantine: XProtect is Apple’s proprietary antivirus software built into all Macs since 2009. It works the same as any other antivirus, scanning suspicious files and apps for malware, then quarantining or limiting their access to the Mac’s operating system and other key functions. XProtect relies on up-to-date information to spot malicious files. However, this information may be outdated, and may not always protect Mac users from the latest threats.
• Malware removal tool: To further keep Apple users protected, the malware removal tool scans Macs to spot and catch any malware that may have slipped past XProtect. Similar to XProtect, it relies on a set of constantly updated definitions to identify potential malware, removes malware upon receiving updated information, and continues to check for infections on restart and login.
• Notarization and Gatekeeper: Apps for Apple devices go through a review before they are distributed and sold outside the App Store. When this review turns up no instances of malware, Apple issues a notarization ticket. That ticket is recognized in the macOS Gatekeeper, which verifies the ticket and allows the app to launch. If a previously approved app is later found to be malicious, Apple revokes its notarization and prevents it from running.
• App Store review: All apps that wish to be sold on the Apple App Store must go through Apple’s App Store review. While not strictly a review for malware, security matters are considered in this process to ensure that all apps posted on the App Store are “reliable, perform as expected, respect user privacy, and are free of objectionable content.”

• Other features: In addition to the above, Apple includes technologies that prevent malware from doing more harm, such as preventing damage to critical system files.

Do I need an antivirus for my Mac?

There are a couple of reasons why Mac users may want to consider additional protection on top of the built-in antivirus safeguards:

1. Apple’s antivirus may not recognize the latest threats. These tools primarily rely on known virus definitions, which may lag behind the latest cyberthreats including “zero-day” incidents. This leaves Mac owners susceptible to attack if they solely rely on XProtect and other features.
2. The Mac’s built-in security measures largely focus on viruses and malware. While protecting yourself from viruses and malware is of utmost importance, the reality is that antivirus is not enough. They don’t block other forms of harmful activity, such as phishing attacks, malicious apps downloaded outside of the App Store, suspicious links, prying eyes on public Wi-Fi, data breaches, and identity theft, among others.

Macs are like any other connected device. They’re also susceptible to the wider world of threats and vulnerabilities on the internet. For this reason, Mac users should think about bolstering their defenses further with online protection software.

Your guide to removing a Mac virus

If you suspect your Mac has been infected with a virus or other malware, acting quickly is essential to protect your personal data and stop the threat from spreading. Fortunately, this can be effectively done with a combination of manual steps and trusted security software:

1. Disconnect from the internet: Immediately disconnect from Wi-Fi or unplug the ethernet cable to prevent the malware from communicating with its server or spreading.
2. Remove suspicious apps: Open your Applications folder. Drag any unfamiliar or recently installed suspicious applications to the Trash and then empty it.
3. Delete malicious files: Malware often hides files in your Library folders. Navigate to Finder > Go > Go to Folder and check paths like ~/Library/LaunchAgents and /Library/LaunchDaemons for suspicious files. Be cautious when deleting system files.
4. Clean up browsers: Remove any unknown extensions from your web browsers and reset your homepage and search engine settings if they were altered.
5. Run a security scan: The safest and most effective method is to run a full scan with a trusted security solution. This will automatically identify, quarantine, and remove all traces of the infection.
6. Restore from a clean backup: If the infection is severe and persistent, your best option may be to erase your Mac and cautiously restore from a Time Machine backup created *before* you noticed signs of the virus. If you restore from a backup version that was already infected, you will re-introduce the malware to your clean system.

Last resort: Reinstalling your macOS

In the most extreme cases, erasing your hard drive and reinstalling a fresh copy of macOS is a very effective way to eliminate viruses and malware. This process wipes out all data, including the malicious software. This, however, is considered the last resort for deep-rooted infections that are difficult to remove manually.

Future-proof your Mac from viruses

As cyber threats grow more sophisticated, taking proactive steps now can protect your device, your data, and your identity in the long run. Here are simple but powerful ways to future-proof your Mac, and help ensure your device stays protected against tomorrow’s threats before they reach you:

• Keep everything updated: Enable automatic updates for macOS and your applications. This is the single most important step to protect against vulnerabilities.
• Download from trusted sources only: Stick to the Apple App Store or the official websites of reputable developers. Avoid downloading software from unvetted third-party aggregators or torrent sites.
• Use strong passwords and multi-factor authentication (MFA): Protect your Apple ID and other accounts with long, complex, and unique passwords and enable MFA to prevent unauthorized access.
• Be skeptical of unsolicited messages: Do not click on links or download attachments in suspicious emails or texts. These are primary methods for delivering malware and conducting phishing attacks.
• Install comprehensive security software: Use a trusted security suite like McAfee+ for real-time protection that goes beyond Apple’s built-in tools, offering features like web protection, a firewall, and anti-phishing technology.
• Back up your data regularly: Maintain regular backups of your important files using Time Machine or a cloud service. This ensures you can recover your data without paying a ransom in a ransomware attack.
• Stay informed: Be aware of the threats out there and take a proactive stance to fill the gaps in protection. Comprehensive security suites like McAfee+ can take care of it for you. Our exclusive Protection Score checks your online safety, identifies any gaps, and offers personalized guidance to seal those cracks.

Best digital habits to practice

Staying safe online isn’t just about having the right software—it’s about making smart choices every day. Adopting strong digital habits can drastically reduce your risk of falling victim to viruses, scams, or data breaches.

• Browse safely: Be wary of unsolicited links, pop-up windows, and urgent warnings. Use a web protection tool to block known malicious websites before they can load.
• Scrutinize downloads: Never install software from an untrusted source. Read installation prompts carefully to deselect any bundled optional software or PUPs.
• Improve email hygiene: Treat emails with attachments or links with caution, even from known senders, as their accounts could be compromised. Verify any unusual requests through a separate communication channel.
• Review app permissions: When an application asks for permission to access your contacts, location, or other data, consider if it truly needs that access to function. Deny any unnecessary requests.
• Enable your firewall: Ensure the macOS firewall is turned on in System Settings > Network > Firewall. This provides a basic but important barrier against unsolicited incoming network connections.

It’s about protecting yourself

An important part of a McAfee’s Protection Score involves protecting your identity and privacy beyond the antivirus solution. While online threats have evolved, McAfee has elevated its online protection software to thwart hackers, scammers, and cyberthieves who aim to steal your personal info, online banking accounts, financial info, and even your social media accounts to commit identity theft and fraud in your name. As you go about your day online, online protection suites help you do it more privately and safely. Comprehensive security solutions like McAfee+ include:

• Personal data cleanup reveals which high-risk data brokers and search sites are collecting and selling your personal information. It then requests the removal of your information, confirms completion, and conducts ongoing scans as your data continues to be collected.
• Unlimited secure VPN automatically connects to public Wi-Fi to protect your online privacy and safeguards personal data while you bank, shop, or browse online.
• Identity theft and stolen funds coverage reimburses up to $1 million in lost funds or expenses, including losses to 401(k) accounts, while restoring your identity.
• Ransomware coverage reimburses up to $25,000 for losses and ransom fees.
• Licensed restoration experts who help repair identity and credit issues, including assistance with the identity fraud of a deceased family member.
• Credit monitoring promptly alerts you about changes to your credit score, report, and accounts and guides you on actions needed to tackle identity theft.
• Credit Score and Report help you stay on top of daily changes to your credit score and report, from a single location.
• Security freeze prevents unauthorized access to existing accounts or new ones being set up in your name with a credit, bank, or utility account freeze.
• Identity monitoring scans for up to 60 unique pieces of personal information on the dark web with timely alerts up to 10 months sooner than competitive products.

FAQs about Mac viruses

Can Macs get viruses from Safari?

Yes. While Safari has built-in security features, you can still get a Mac virus by visiting a compromised website that initiates a drive-by download or by being tricked into downloading and running a malicious file.

Do pop-ups mean my Mac is infected?

Not necessarily. Many websites use aggressive pop-up advertising. However, if you see persistent pop-ups that are difficult to close, or fake virus warnings, it’s a strong sign of an adware infection.

Is adware a type of malware?

Yes. While some consider it less harmful than a trojan, adware is a form of malware. It compromises your browsing experience, tracks your activity, slows down your computer, and can serve as a gateway for more dangerous infections.

How often should you scan for viruses?

If you have a security suite with real-time protection, your Mac is continuously monitored. It is still good practice to run a full system scan at least once a week for peace of mind.

Can iPhones spread malware to Macs?

Direct infection via a cable is extremely unlikely due to the security architecture of both operating systems. The greater risk comes from shared accounts. A malicious link or file opened on one device and synced via iCloud, or a compromised Apple ID, could affect your other devices.

Final thoughts

Current trends show a rise in sophisticated adware and PUPs that are often bundled with legitimate-looking software. Cybercriminals are also focusing on malicious browser extensions that steal data and credentials, injecting malicious code into legitimate software updates, or devising clever ways to bypass Apple’s notarization process. Given these developments, Macs can and do get viruses and are subject to threats just like any other computer. While Apple provides a strong security foundation, their operating systems may not offer the full breadth of protection you need, particularly against online identity theft and the latest malware threats. Combining an updated system, smart online habits, and a comprehensive protection solution helps you stay well ahead of emerging threats. Regularly reviewing your Mac’s security posture and following the tips outlined here will also enable you to use your device with confidence and peace of mind.

The post Can Apple Macs get Viruses? appeared first on McAfee Blog.

Authored by ZePeng Chen

Recently, we identified an active Android phishing campaign targeting Indian users. The attackers impersonate a government electricity subsidy service to lure victims into installing a malicious app. In addition to stealing financial information, the malicious app also steals text messages, uses the infected device to send smishing messages to user’s contact list, can be remotely controlled using Firebase and phishing website and malware was hosted in GitHub. This attack chain leverages YouTube videos, a fake government-like website, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The campaign involves fake subsidy promises, user data theft, and remote-control functionalities, posing a substantial threat to user privacy and financial security.

McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. McAfee also reported the GitHub-hosted repository to GitHub Developer Support Team, which took action and already removed it from GitHub. McAfee Mobile Security detects these malicious applications as a high-risk threat. For more information, and to get fully protected, visit McAfee Mobile Security.

Background

The Government of India has approved the PM Surya Ghar: Muft Bijli Yojana on 29th February, 2024 to increase the share of solar rooftop capacity and empower residential households to generate their own electricity. The scheme provides for a subsidy of 60% of the solar unit cost for systems up to 2kW capacity and 40 percent of additional system cost for systems between 2 to 3kW capacity. The subsidy has been capped at 3kW capacity. The interested consumer has to register on the National Portal. This has to be done by selecting the state and the electricity distribution company. Scammers use this subsidy activity to create phishing websites and fake applications, stealing the bank account information of users who want to apply for this subsidy.

Technical Findings

Distribution Methods

This phishing operation unfolds in multiple stages:

1. YouTube Video Lure: The attackers upload promotional videos claiming users can receive “government electricity subsidies” through a mobile app. A shortened URL is included in the video description to encourage users to click.

Figure 1. YouTube video promoting the phishing URL

 

     2. Phishing Website Imitation: The shortened URL redirects to a phishing website hosted on GitHub. it designed to closely resemble an official Indian government portal.

 

Figure 2. Phishing and official website

The phishing site has a fake registration process instruction, once the users believe this introduction, they will not have any doubts about the following processes. The phishing site also has a fake Google Play icon, making users believe it’s a Google Play app, but in reality, the icon points to an APK file on GitHub. When victims click the Google Play icon, it will download the APK from GitHub repository instead of accessing Google Play App Store.

    3. GitHub-Hosted APK and Phishing page

Both the phishing site source and the APK file are hosted on the same GitHub repository—likely to bypass security detection and appear more legitimate. The repository activity shows that this malicious app has been continuously developed since October 2024, with frequent updates observed in recent weeks.

 

Figure 3. Malware repository in GitHub

Installation without network

The downloaded APK is not the main malicious component. Instead, it contains an embedded APK file at assets/app.apk, which is the actual malware. The initial APK serves only to install the embedded one. During installation, users are deceived into believing they are installing a “security update” and are prompted to disable mobile data or Wi-Fi, likely to reduce the effectiveness of malware detection solutions that use detection technologies in the cloud. But McAfee is still able to detect this threat in offline mode

 

Figure 4. Install a malicious APK without a network

According to the installation instructions, a malicious application will be installed. There are 2 applications that are installed on devices.

• PMBY – The initial APK, it is used to install PMMBY.
• PMMBY – Malware APK, it is installed under the guise of “Secure Update“

 

Figure 5. Application names and icons.

Malware analysis

PMMBY is an application that actually carries out malicious behavior—let’s delve into the concrete details of how it accomplishes this.

It requests aggressive permission when it is launched.

• READ_CONTACTS – Read contacts list
• CALL_PHONE – Make/manage phone calls
• READ_SMS, SEND_SMS – View and send SMS messages
• Notification access – For spamming or masking malicious actions

Figure 6. Aggressive permissions request

Fake UI and Registration Process

Once permissions are granted, the app displays a fake electricity provider selection screen. The message “To Get 300 Unit Free Every Month Please Select Your Electricity Provider From Below And Proceed” is shown in English and Hindi to prompt users to select their provider.

 

Figure 7. “SELECT YOUR PROVIDER” Activity

 

After selecting a provider, the app presents a fake registration form asking for the user’s phone number and a ₹1 payment to “generate a registration token.”

 

Figure 8. Registration Form

 

In this stage, malware creates a background task to send a https request to https[://]rebrand[.]ly/dclinkto2. The response text is https[://]sqcepo[.]replit[.]app/gate[.]html,https[://]sqcepo[.]replit[.]app/addsm[.]php. The string is split as 2 URLs.

• UPI PIN URL – https[://]sqcepo[.]replit[.]app/gate[.]html. It will be used in “ENTER UPI PIN” process. When malware uses this URL, “gate.html” will be replace with“gate.hml”, so the loaded URL is https[://]sqcepo[.]replit[.]app/gate[.]htm.
• SMS Uploaded URL – https[://]sqcepo[.]replit[.]app/addsm[.]php. SMS incoming messages are uploaded to this URL.

Figure 9. dclinkto2 request

 

In the stage of ”MAKE PAYMENT of ₹ 1“，victims are asked to use “UPI-Lite” app to complete the payment. In the “UPI-Lite” activity, victims enter the bank UPI PIN code.

 

Figure 10. The process of “ENTER UPI PIN”

UPI Credential Theft

UPI-Lite activity is a fake HTML-based form from https[://]sqcepo[.]replit[.]app/gate[.]htm.

Once submitted, the phone number, bank details, and UPI PIN are uploaded to https[://]sqcepo[.]replit[.]app/addup.php. After the attacker obtains this information, they can steal money from your bank account.

 

Figure 11. Post user’s banker information.

Malware Background Behaviors

In addition to stealing the financial and banking information from the user, the malware is also able to send distribution itself by sending a phishing message to the victim’s contact list, stealing user’s text messages probably to intercept 2FA codes and can be remotely controlled via Firebase.

• Send mass phishing SMS messages to Indian users from the victims’ contacts list.

Figure 12. Send Phishing SMS message.

• Upload SMS message to Server.

Malware has requested view SMS permission when it is launched. When it receives the incoming SMS message, it handles the message and posts below data to remote server(https[://]sqcepo[.]replit[.]app/addsm[.]php).

• senderNum: The phone number of send the incoming message.
• Message: The incoming SMS message.
• Slot: Which SIM Slot to receive the message
• Device rand: A random number was created during the first run to identify the device.

Figure 13. Post Incoming SMS message

• Firebase as a Command Channel.

Attackers use FCM(Firebase Cloud Messaging) to send commands to control devices. According to the _type value, malware executes different commands.

 

Table1. Commands from FCM message

 

Figure 14. Commands from FCM message

Recommendations

To protect against such sophisticated attacks, users and defenders should take the following precautions:

• Avoid downloading apps from unofficial websites:
  Especially those offering benefits like subsidies, rewards, or financial aid.
• Be cautious of apps that require disabling network connections:
  This is often a red flag used to evade real-time antivirus scanning.
• Carefully review app permissions:
  Apps requesting contact access, SMS read/send or call permissions—without clear reason—should be treated as suspicious.
• Use security software with SMS protection:
  Enable permission alerts and use reputable mobile security apps to detect abnormal app behavior. McAfee’s Scam Detector as an additional protection for the smishing part.

Cybercriminals are using relevant themes like energy subsidies to trick users into providing financial information. This campaign demonstrates an integrated and stealthy attack chain. YouTube is used to distribute phishing link, GitHub is a reliable and legitimate website to using it to both distribute malicious APKs and serve phishing websites make it more difficult to identify and take it down, and malware authors can remotely update the phishing text messages to be more effective in tricking users into installing the malware via Firebase Cloud Messaging (FCM). With its self-propagation capabilities, financial data theft, and remote-control functions, it poses a serious risk. We will continue to monitor this threat, track emerging variants, and coordinate with relevant platforms to report and help take down associated infrastructure.

Indicators of Compromise (IOCs)

The post Android Malware Promises Energy Subsidy to Steal Financial Data appeared first on McAfee Blog.

The holiday shopping season, especially Black Friday and Cyber Monday, is a prime time for cybercriminals. McAfee Labs consistently observes a significant spike in malicious activity during this period, fueled by the combination of high web traffic, deals that create a sense of urgency, and a massive increase in card-not-present online transactions that create a perfect storm. Attackers exploit the chaos, knowing shoppers are often distracted and rushing to find the best Black Friday deals, making them more susceptible to phishing scams, fake websites, and malware designed to steal financial information.

As we gear up to feast with family and friends this Thanksgiving, and prepare our wallets for Black Friday and Cyber Monday, let’s look at how these two popular shopping events can impact your online security, and how to protect yourself from scammers.

Stolen credentials and identity theft

The consequences of falling for a holiday scam can be devastating. Beyond the initial financial loss from a fraudulent purchase, victims often face the long-term nightmare of identity theft. According to the Federal Trade Commission (FTC), consumers reported losing $12.5 billion to fraud in 2024, with online shopping scams as the second most commonly reported incident. Recovering from identity theft is not just costly. It’s also incredibly time-consuming. On average, it can take victims months to clear their names and correct their credit reports, adding significant emotional stress during what should be a joyful season.

The Black Friday shopping phenomenon

Historians trace the use of Black Friday to the 1960s, when Philadelphia police officers named the day after Thanksgiving as Black Friday because they had to work overtime to manage the mob of holiday shoppers and attendees to the traditional Army-Navy football game on Saturday. Later on, Shop.org coined the term Cyber Monday as a way for online retailers to participate in the Black Friday shopping frenzy.

Since the beginning of these two massive shopping holidays, both have seen incredible growth as more shoppers are turning to the Internet to participate in holiday bargain hunting. In the US, consumers reportedly spent $10.8 billion online on Black Friday 2024, a 10.2% increase from 2023, while Cyber Monday brought in a record $13.3 billion. 

The uptick in online shopping activity provides cybercriminals the perfect opportunity to disrupt shoppers’ holiday activities and compromise their online security. During this festive season, it is best to take proactive measures to safeguard your digital presence. 

Black Friday risks versus Cyber Monday risks

Historically, Black Friday was initially focused on in-store shopping, while Cyber Monday centered on online deals. As such, each shopping event presented its own cyber risks: 

Black Friday risks

• Mobile-first scams: Shoppers often hunt for deals on their phones on the go before heading to the physical stores, making them more susceptible to smishing and malicious links sent via text.
• Public Wi-Fi dangers: While in-store, shoppers usually connect to unsecured public Wi-Fi at malls or cafes, exposing their data to hackers on the same network.
• Fake QR Codes: Shoppers could click on malicious QR codes on posters or flyers that promise exclusive deals, but lead to phishing sites.

Cyber Monday risks

• Sophisticated phishing emails: Attackers often use data from weekend shopping activities to launch targeted email campaigns with fake shipping notifications or order confirmations for incredible deals.
• Desktop-based Malware: With more people shopping from work or home computers, there’s a higher risk of encountering malicious ads or downloading fake browser extensions that steal data.
• Lookalike websites: Scammers create highly convincing replicas of popular retail websites to trick users into entering login and payment details.

As retailers embrace both in-store and online platforms, cyber fraudsters are blurring the lines to take their scams to both domains.

How to protect yourself from these scams 

With the surge in online shopping during both shopping holidays, cybercriminals are also on high alert, crafting sophisticated scams to trick unsuspecting shoppers. It’s essential to approach every email or text message suspiciously, checking the sender’s information and avoiding clicking on unsolicited links.Thankfully, there are steps you can take to protect yourself when shopping online during Black Friday and Cyber Monday. 

• Never give your information. Be suspicious of unsolicited messages, even if it appears to be from a trusted source. Hover over links in emails or texts to see the actual destination URL before clicking. If the offer seems tempting, visit the retailer’s official website and check if the same deal is available there. 
• Eye the website with skepticism: If you happen to click the link and are led to a website, always ensure that the website you’re shopping from is legitimate. Check for the padlock icon in the address bar and “https” in the URL, as these are indicators of a secure site. Steer clear of websites that have misspelled domain names, as they could be fraudulent. Learn more about the traits of a fake website.
• Use credit instead of debit cards. Credit cards generally offer better fraud protection and make it easier to dispute unauthorized charges.
• Enable multi-factor authentication (MFA). Add this extra layer of security to your email and retail accounts whenever possible.
• Beware of too good to be true offers. Extreme discounts are a common lure for scams. If a deal seems unbelievable, it probably is.
• Verify the seller. Shop with well-known, reputable retailers. For unfamiliar sellers, look for reviews and a physical address.
• Avoid public Wi-Fi for purchases. Your personal data is vulnerable on unsecured networks. Use your mobile data or a secure VPN instead.
• Keep your software updated. Install updates for your operating system, browser, and security software to address known vulnerabilities.
• Install a reputable security software. This can provide you with real-time protection and alert you to a malicious website or link.

Use virtual cards and trusted payment gateways

One of the most effective ways to protect your financial data is to avoid entering your actual debit or credit card number directly on websites. Instead, use payment methods that act as a buffer. Virtual credit cards, offered by many banks and privacy services, generate a unique, temporary card number for a single transaction or vendor, making your real account information useless to thieves if a site is breached. 

Similarly, digital wallets such as PayPal, Apple Pay, and Google Pay use tokenization to mask your card details. When using browser extensions for coupons, be cautious. Only install trusted extensions and check their permissions. 

Monitor price drops without sacrificing security

Everyone wants to find the best price, but be wary of how you track those Black Friday deals. While some deal-tracking apps and browser extensions are helpful, others are privacy nightmares, requesting broad permissions to read all your browsing data. 

Before installing any price tracker, carefully review the permissions it requests. Better yet, use well-known, reputable services or set up price alerts directly on major retail websites. Before you download any new app to your phone or computer, use a security solution with a safe-app check feature to ensure it doesn’t contain malware or spyware.

Invest in McAfee security software

Keeping your digital data and identity safe during the holiday shopping fever might be the best gift you could give yourself and your family. Consider these top features:

• McAfee® Total Protection: This powerful solution provides essential antivirus and web protection to block malicious websites and phishing links in their tracks while you hunt for online deals.
• McAfee® Scam Detector: This feature uses patented AI technology to detect and protect you from risky links in texts, emails, and social media, stopping scams before you can even click.
• McAfee® Mobile Security: This comprehensive protection on the go helps shield you from risky Wi-Fi networks and malicious apps.
• Identity Monitoring: Get alerts if your personal information, like email addresses or credit card numbers, is found on the dark web, allowing you to take action quickly to prevent identity theft. 

FAQs: Stay protected while holiday shopping

Is it safe to shop Cyber Monday deals on mobile?

Shopping for Cyber Monday deals on your phone can be convenient, but it requires extra caution. The biggest pitfall is using unsecured public Wi-Fi networks in places like coffee shops or malls, allowing criminals to intercept your data. 

Another major threat is fraudulent shopping apps designed to steal your information. For another layer of protection, use mobile wallets like Apple Pay or Google Pay as they use tokenization to process payments without exposing your actual card number.

Are deals advertised on social media legitimate?

They can be, but social media is also rife with scams. Instead of clicking links in ads, go directly to the retailer’s official website to find the deal. Scammers often create fake storefronts on social platforms to steal your money and data.

Do retailers release Cyber Monday deals early?

Yes, many retailers start their Cyber Monday deals during the Black Friday weekend or earlier. However, be cautious of unsolicited emails announcing “early access.” Always verify these offers on the retailer’s actual website, as this is a common phishing tactic.

Is it safe to pay with a QR code?

Only use QR codes from trusted sources. Criminals can place malicious QR code stickers over legitimate ones, redirecting you to a phishing site. When in a store, confirm the QR code is legitimate with an employee. When shopping online, only scan codes on a retailer’s official site or app.

What should I do if I get a suspicious shipping notification?

Do not click any links in the email or text message. Scammers send fake shipping alerts to get you to click on malicious links or provide personal information. Instead, go to the retailer’s website and use your official order number to track your package directly.

Final thoughts

Black Friday and Cyber Monday are prime opportunities for consumers to snag once-a-year deals and for cybercriminals to exploit their eagerness to save. However, being aware of the prevalent scams and knowing how to protect yourself can save you from falling prey to these ploys. 

One effective way to do so is by investing in top-tier online protection solutions. McAfee offers award-winning cybersecurity solutions developed to shield you from the ever-evolving threats. Explore the features of our McAfee+ Ultimate and Total Protection plans and stay informed about the latest cyber threats with McAfee Labs.

Always strive to shop wisely and stay safe, and remember that if an offer seems too good to be true, it probably is.

The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blog.

Malicious software, also called malware, refers to any program or code engineered to harm or exploit computer systems, networks and devices. It affects your phone’s functionality, especially if you jailbreak your device—that is, opening your iOS to additional features, apps, and themes. 

The risks associated with a malware infection can range from poor device performance to stolen data. Cybercriminals typically use it to extract data—from financial data and healthcare records to emails and passwords—that they can leverage over victims for financial gain. 

Thanks to their closed ecosystem, built-in security features, and strict policies on third-party apps, Apple devices tend to be generally resilient against malware infections. It’s important to note, however, that they’re not completely without vulnerabilities.

Read on to learn how you can detect malware on your iPhone and how to remove these infections so you can get back to enjoying your digital activities.

What is iPhone malware?

While traditional self-replicating viruses are rare on iPhones, malware is a genuine threat for Apple devices. Malware typically enters through links in deceptive texts or emails or through downloaded, unvetted apps rather than system-wide infection. These are some types of malware that could infect your iPhone:

• Adware: Once embedded into your phone, adware collects your personal data and learns browsing habits to determine what kinds of ads can be targeted to you. It then bombards your screen with pop-up ads.
• Ransomware: This type of malware encrypts your files or locks you out of your computer, making the data inaccessible. The attackers then demand a ransom before releasing your encrypted files or systems.
• Spyware: This malicious software sits on your device, tracks your online activities, then sends it to a central server controlled by third-party internet service providers, hackers, and scammers, who then exploit this information to their advantage.
• Trojans: Disguised as a real, operational program, this type of malware steals passwords, PINs, credit card data, and other private information.

Understanding Apple’s built-in security layers

To keep you safe against malware and other threats, Apple engineers the iPhone with multiple security layers, including:

• Secure Enclave: This hardware feature is a dedicated secure subsystem in Apple devices that protects your most sensitive data, such as Face ID or Touch ID information in a separate, fortified processor. 
• Sandboxing: This process serves as a digital wall around each app, preventing it from meddling with other apps or accessing your core iOS system files. A downloaded app is first isolated or sandboxed to prevent it from accessing data in your iPhone or modifying the operating system. 
• App Store review: Apple also enforces a process to strictly vet apps for malicious code, and it delivers rapid security patches via regular iOS updates to fix vulnerabilities quickly. 

Together, these features create a highly secure environment for iPhones. However, this robust shield does not eliminate all risks, as threats can still bypass these defenses through phishing scams or by tricking a user into installing a malicious configuration profile.

6 signs of malware on your iPhone and quick actions

If your iPhone is exhibiting these odd activities listed below, a manual scan is your first point of order. These quick actions are free to do as they are already integrated into your device.

• Sudden battery drain: Your battery dies much faster than it should because malware is secretly running in the background. It could mean malware is running in the background and consuming a significant amount of power. To make sure that no such apps are installed on your phone, head over to Settings > Battery and select a period of your choice. Uninstall any unfamiliar apps that stand out.
• Unexpected data spikes: You notice a sudden jump in your data usage, which could mean malware is sending information from your phone to a hacker’s server. Keep an eye on it if you suspect malware is in your system. To do so, go to Settings > Mobile Data and check if your data usage is higher than usual.
• Constant pop-ups: Occasionally running into pop-up ads is inevitable when browsing the internet. However, your phone might be infected with adware if you’re getting them with alarming frequency. Never click the pop-ups. Instead, go to Settings > Safari and tap Clear History and Website Data. This can remove adware and reset your browser.
• Overheating device: Your iPhone feels unusually hot, even when idle, as malicious software can cause the processor to work overtime. Restart your phone to terminate any hidden processes causing the issue.
• Mysterious apps appear: You discover apps on your iPhone that you are certain you never downloaded. Take some time to swipe through all of your apps and closely inspect or uninstall any that you don’t recognize or remember downloading. 

• Sluggish performance: Your phone becomes slow, apps crash unexpectedly, or the entire system freezes for no reason. A simple restart can often clear up performance issues and improve responsiveness.

The disadvantage of doing a manual scan is that it requires effort. In addition, it does not detect sophisticated malware, and only identifies symptoms rather than root causes.

Scan your iPhone for malware

If your iPhone persistently exhibits any of the red flags above despite your quick actions, you may have to investigate using a third-party security app to find the threats that manual checks don’t catch. 

Compared with manual or built-in scans, third-party solutions like McAfee Mobile Security offer automated, comprehensive malware scans by detecting a wider range of threats before they enter your digital space. While available at a premium, third-party security suites offer great value as they include full-scale protection that includes a safe browsing feature to protect your digital life and a virtual private network (VPN) for a more secure internet connection. 

How to remove malware from your iPhone

If the scan confirms the presence of malware on your iPhone, don’t worry. There’s still time to protect yourself and your data. Below is an action plan you can follow to remove malware from your device.

Update your iOS, if applicable

In many cases, hackers exploit outdated versions of iOS to launch malware attacks. If you don’t have the latest version of your operating system, it’s a good idea to update your iOS immediately to close this potential vulnerability. To do this, go to Settings > General > Software Update and follow the instructions to update your iPhone.

Restart your device

It might sound simple, but restarting your device can fix certain issues. The system will restart on its own when updating the iOS. If you already have the latest version, restart your iPhone now.

Clear your iPhone browsing history and data

If updating the iOS and restarting your device didn’t fix the issue, try clearing your phone’s browsing history and data. If you’re using Safari, go to Settings > Clear History and Website Data > Clear History and Data. Keep in mind that the process is similar for Google Chrome and most other popular web browsers.

Remove any suspicious apps

Malicious software, such as spyware and ransomware, often end up on phones by masquerading as legitimate apps. To err on the side of caution, delete any apps that you don’t remember downloading or installing.

Restore your iPhone

The option to restore to a previous backup is one of the most valuable features found on the iPhone and iPad. This allows you to restore your device to an iCloud backup version that was made before the malware infection. Go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings > Restore from iCloud Backup.

Factory reset your iPhone

A factory reset should be your last resort when other removal methods have failed, as it is a complete data wipe. That means it will erase all content and settings, including any malicious apps, profiles, or files, returning the software to its original, out-of-the-box state. That’s why it’s crucial to back up your essential data such as photos and contacts first. Also, remember to restore to an iCloud backup version *before* the malware infection to avoid reintroducing the infection. For the highest level of security, set the iPhone up as new and manually redownload trusted apps from the App Store. When you are ready to reset, go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings > Set Up as New iPhone.

How to detect spyware on your iPhone

Spyware is designed to be sneaky, but it leaves subtle traces. Pay attention to your iPhone’s behavior, such as the camera or microphone unexpectedly activating as indicated by a green or orange dot in the status bar, sudden battery drain, or your device overheating for no reason. Another major red flag is a spike in data usage when you aren’t actively using your phone.

For a deeper look, do this 5-minute check to see which apps have accessed your data, camera, and microphone. Look for any activity that seems suspicious or that you don’t recall authorizing. 

5-minute spyware check:

• Scan for unknown apps: Scroll through your home screens and App Library for any apps you didn’t install.
• Review the App Privacy Report: Check for recent sensor or network activity from apps that shouldn’t be active. Go to Settings > Privacy & Security > App Privacy Report. 
• Check for unusual profiles: Go to Settings > General > VPN & Device Management. Remove any profiles you don’t recognize.
• Look at battery usage: In Settings > Battery, look for unfamiliar apps consuming significant power.

Removing spyware from your iPhone

If you suspect your iPhone has been compromised, it’s important to act quickly. Here’s a step-by-step process to remove it, restore your privacy, and prevent future threats.

1. Backup your essential data: Before making any changes, back up your photos, contacts, and other important files. Ensure you back up to a trusted location like iCloud or your computer.
2. Update to the latest iOS: Apple frequently releases security patches. Go to Settings > General > Software Update and install any available updates to close vulnerabilities that spyware might exploit.
3. Delete suspicious apps and profiles: Remove any apps you don’t recognize. Additionally, go to Settings > General > VPN & Device Management and delete any configuration profiles that you did not install yourself.
4. Change your passwords: Once your device is clean, immediately change the passwords for your critical accounts, including your Apple ID, email, and banking apps.
5. Enable two-factor authentication (2FA): For an added layer of security, enable 2FA on all important accounts, to make it much harder for anyone to gain unauthorized access, even if they have your password.
6. Run a mobile security scan: The most reliable way to detect spyware is with a trusted mobile security app that can perform a comprehensive system scan to help flag any remaining malicious files or settings.
7. When to escalate: If you suspect you are a victim of stalking or that your device was compromised for illegal activities, contact Apple Support for assistance and consider reporting the incident to law enforcement.

Don’t engage with fake virus pop-up scams

A common tactic used by scammers is the fake virus pop-up. These alarming messages appear while you are browsing, often using logos from Apple or other trusted companies, and claim your iPhone is infected. Their goal is to create panic, urging you to click a link, download a fake app, or call a fraudulent support number. Never interact with these pop-ups. Here’s a quick response plan when dealing with fake virus pop-up ads: 

• The correct action is to close the Safari tab or the entire browser immediately. 
• To be safe, clear your browsing data by going to Settings > Safari > Clear History and Website Data. This action removes any lingering scripts from the malicious page. 
• You can also report phishing pages to help protect others.

Never enter personal information, passwords, or payment details on a page that appears from a pop-up ad.

Avoid malware from the start

The best way to protect your iOS device is to avoid malware in the first place. Follow these security measures to safeguard your device:

• If you receive unexpected or unsolicited emails or texts, think before you tap the suspicious links to avoid phishing traps.
• Stick only with apps from the Apple App store. Avoid installing apps from unvetted third-party stores.
• Protect your device’s built-in defenses by avoiding the temptation to jailbreak your iPhone as this will remove most Apple security features.
• Enable automatic updates of iOS and iTunes to stay in line with Apple’s security updates and bug fixes.
• Back up your iPhone data regularly to iCloud or a computer so you can always restore it.
• Avoid engaging with suspicious text messages on iMessage, as hackers use them to spread phishing scams.

• Enable two-factor authentication on your Apple ID for a powerful extra layer of security.
• Routinely review your app permissions to ensure they only have access to necessary data.
• Install a trusted security app, such as McAfee Mobile Security, for proactive scanning and web protection.

FAQs about iPhone malware

Can my iPhone get a virus from opening an email?
Simply opening an email is very unlikely to infect your iPhone. However, clicking a malicious link or downloading an attachment from a phishing email can lead you to a harmful website or trick you into compromising your information. It’s the action you take, not opening the email itself, that creates the risk.

How do I know if a virus warning is real or fake?
Any pop-up in your browser that claims your iPhone has a virus is fake. Apple does not send notifications like this. These are scare tactics designed to trick you into clicking a link or calling a fake support number. The safest response is to close the browser tab and clear your browsing data.

Does my iPhone really need antivirus software?

It’s a misconception that iPhones are immune to all viruses. While Apple’s built-in security provides a strong defense, it doesn’t offer complete protection. Cybercriminals are increasingly using phishing, smishing, AI voice cloning, deepfake videos and other social engineering methods to target iPhone users. A comprehensive security app provides layered protection beyond the iOS integrated security. Think of it as adding a professional security guard to already-strong walls.

What is the best way to check my iPhone for a virus or malware for free?
You can perform manual checks for free by looking for suspicious apps, checking for unusual battery drain and data usage, and reviewing your App Privacy Report. While helpful for spotting obvious issues, these manual checks aren’t foolproof. A dedicated security app offers a more reliable and thorough analysis.

Can an iPhone get malware without jailbreaking it?
Yes. While jailbreaking significantly increases the risk, malware can still infect a non-jailbroken iPhone. This typically happens through sophisticated phishing attacks, installing malicious configuration profiles from untrusted sources, or, in very rare cases, by exploiting an unknown vulnerability in iOS, known as a “zero-day” attack.

Is an iPhone malware scan truly necessary?
Given the value of the personal data on our phones, a regular malware scan provides significant peace of mind. A reputable security app can identify vulnerabilities you might miss, such as outdated software or risky system settings, helping you maintain a strong security posture.

Final thoughts on iPhone malware protection

Keeping your iPhone secure from malware is an achievable goal that puts you in control of your digital safety. By combining smart habits with powerful security tools, you can confidently protect your personal information from emerging threats. 

McAfee is committed to empowering you with the resources and protection needed to navigate the online world safely. McAfee Mobile Security provides full protection against various types of malware targeting the Apple ecosystem. With safe browsing features, a secure VPN, and antivirus software, McAfee Security for iOS delivers protection against emerging threats, so you can continue to use your iPhone with peace of mind. Download the McAfee Mobile Security app today and get all-in-one protection.

The post A Guide to Remove Malware From Your iPhone appeared first on McAfee Blog.

Authored by: Anuradha & Prabudh

PDF converting software can be super helpful. Whether you’re turning a Word document into a PDF or merging files into one neat package, these tools save time and make life easier.

But here’s something many people don’t realize — some of these free PDF tools come with hidden baggage. When you install them, they might also sneak in a new search engine, browser extension, or change your homepage without clearly asking for permission. 

What’s Going On?

Some PDF software is bundled with extra programs. That means when you download and install the PDF converter, it may also install:

• A new search engine in your browser
• Toolbars or browser extensions
• Apps that run in the background on your computer

Most of the time, these are not viruses, but they can slow down your computer, change your browsing experience, and even collect your data.

Geographical Customer Prevalence

The heat map below illustrates the prevalence of EPI PDF software in the field in Q2, 2025.

We see that the top country encountering this software is the United States of America with over 118,000 McAfee device encounters.

Why Do They Do This?

Many free software companies make money by including these extras. Other companies pay them to promote their search tools or browser extensions. It’s a way for them to earn something in return for offering the software for free.

During our daily hunt at McAfee to secure our customer, we came across one such bundler application called EPI PDF Editor that clearly had deceptive nature towards the end user.

Key Takeaways:

1. Read Before You Click “Next”
   Always take a moment during installation to read what each screen says. Look for checkboxes that let you “opt out” of installing extra software.
2. Choose “Custom” or “Advanced” Installation
   This gives you more control over what gets installed on your computer.
3. Download From Trusted Sources
   Stick to well-known websites or the official site of the PDF software. Avoid shady download links from ads or pop-ups.
4. Use Built-In Tools
   Many operating systems (like Windows or macOS) already have simple PDF features like printing to PDF or viewing files, so you might not need extra software at all.
5. Check Your Browser
   If your homepage suddenly changes or you see a new search engine, go to your browser settings and change it back.

McAfee researches such applications proactively, and we review the EULA and Privacy Policy regularly for new applications.

Technical Analysis

EPI PDF Editor is distributed as an MSI installer. Upon launching, the installer window includes a pre-selected option to “Import your current browser settings into EPI PDF,” a choice that appears unrelated to the tool’s intended purpose of handling PDF documents. Unless the user actively opts out by unchecking the box, this action will continue automatically.

Installer Branding Mismatch

The installer is branded as “PDF Converter,” indicating that it is designed for typical PDF tasks such as viewing, converting, splitting, merging, and watermarking documents. However, the inclusion of an opt-out option to import browser settings raises questions about the application’s true functionality.

Figure 1: Import browser settings

Privacy Policy Conflict

A closer examination of the software’s Privacy Policy and Terms reveals a deceptive practice at play. Although the application is marketed as a PDF Converter, the legal documentation tells a different story. As shown in Figure 2, the Privacy Policy of the program—branded as EPIbrowser—explicitly defines the software as a browser designed for Windows-based devices. The screenshot displays both the EPIbrowser logo and the policy text, clearly indicating that the user is not installing a PDF tool, but rather a web browser disguised as one.

Figure 2: Application name in terms & conditions

Figure 3: Application meaning in terms

 

McAfee’s *PUP Policy states that Software installers must provide software licensing information prior to installing any bundled components.No ‘installation completed’ window pops up but instead, a chromium-based browser opens with a tab opened that too with deceptive behavior i.e. options are present to edit the opened pdf but no action being performed. We can browse the internet by opening other tabs.

Figure 4: Tab in EPI Browser

McAfee PUP policy violated here is, ”Installation: whether the user can make an informed decision about the software installation or add-ons and can adequately back out of any undesired installations.” Another suspicious behavior observed is install location i.e. from ‘Appdata/Temp’ instead of Program Files or Program Files(x86). Further while checking control panel we found that sample has created the entry with EPI Browser only and can be uninstalled. Due to its deceptive behavior, which aligns with the McAfee violation criteria, this application has been classified as a Potentially Unwanted Program (PUP).

The McAfee WebAdvisor browser extension warns users when attempting to navigate to websites known to distribute PUPs.

Figure 5: McAfee Web Advisor Warning

Bottom Line

Free PDF tools are useful — but be aware of what else might come with them. A few extra minutes of reading can save you from hours of frustration later.

Stay smart. Stay safe. And always know what you’re really installing.

Indicator of Compromise

App Name	Distributed in different file names	SHA256
EPI PDF Editor	viewpdftools.msi	c2d1ac2511eb2749cdc7ae889d484c246d3bd1e740725dc4dd2813c4b4d05c7b
	onestartpdfdirect.msi
	PDFSmartKit.msi
	pdfzonepro.msi
	6c9136.msi
	OneStartPDF-v4.5.282.2.msi

In a digital world where convenience often comes at a hidden cost, it’s crucial to be vigilant about the software we install — especially free tools like PDF converters. As the case of EPI PDF Editor highlights, not all applications are what they claim to be. Deceptive installations, hidden browser hijackers, and unauthorized data collection can compromise both your privacy and your device’s performance. By staying informed and cautious — reading installation prompts, choosing advanced options, and relying on trusted sources — you can protect yourself from potentially unwanted programs and avoid falling into these traps.

At McAfee, our goal is to help users stay one step ahead of deceptive software. Awareness is your first line of defense. So, the next time you download a free tool, take a moment to think before you click. Because what seems like a simple installation could be opening the door to much more.

 

*PUP :- PUP stands for Potentially Unwanted Program that are used to deliver users some unwanted applications like ads, browser addon, search engine modification, extra programs that a user is generally using for daily purpose.

The post Think Before You Click: EPI PDF’s Hidden Extras appeared first on McAfee Blog.

Authored by Dexter Shin

McAfee’s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The malware impersonates popular Indian financial apps, including SBI Card, Axis Bank, and IndusInd Bank, and is distributed through phishing websites that are continuously being created. What makes this campaign unique is its dual-purpose design: it steals personal and financial information while also silently mining Monero cryptocurrency using XMRig, which is triggered via Firebase Cloud Messaging (FCM). It also abuses user trust by pretending to be a legitimate app update from Google Play.

McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. Also, McAfee Mobile Security detects all of these apps as High-Risk threats. For more information, visit McAfee’s Mobile Security page.

This campaign targets Indian users by impersonating legitimate financial services to lure victims into installing a malicious app. This is not the first malware campaign targeting Indian users. In the past, McAfee has reported other threats. In this case, the attackers take it a step further by using real assets from official banking websites to build convincing phishing pages that host the malware payload. The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload. This technique helps evade static detection and complicates analysis.

Apart from delivering a malicious payload, the malware also mines cryptocurrency on infected mobile devices. When the malware receives specific commands via FCM, it silently initiates a background mining process for Monero (XMR). Monero is a privacy-focused cryptocurrency that hides transaction addresses, sender and receiver identities, and transaction amounts. Because of these privacy features, cybercriminals often use it to stay hidden and move illegal money without getting caught. Its mining algorithm, RandomX, is optimized for general-purpose CPUs, making it possible to mine Monero efficiently even on mobile devices.

Technical Findings

Distribution Methods

The malware is distributed through phishing websites that impersonate Indian financial services. These sites are designed to closely resemble official banking sites and trick users into downloading a fake Android app. Here are some phishing sites we found during our investigation.

Figure 1. Screenshot of a phishing website

 

These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as “Get App” or “Download” buttons, which prompt users to install the malicious APK file.

Dropper Analysis

When the app is launched, the first screen the user sees looks like a Google Play Store page. It tells the user that they need to update the app.

Figure 2. The initial screen shown by the dropper app

The app includes an encrypted DEX file stored in the assets folder. This file is not the actual malicious payload, but a loader component. When the app runs, it decrypts this file using XOR key and dynamically loads it into memory. The loaded DEX file contains custom code, including a method responsible for loading additional payloads.

Figure 3. First-stage encrypted loader DEX and XOR key

Once the first-stage DEX is loaded, the loader method inside it decrypts and loads a second encrypted file, which is also stored in the assets. This second file contains the final malicious payload. By splitting the loading process into two stages, the malware avoids exposing any clearly malicious code in the main APK and makes static analysis more difficult.

Figure 4. Second-stage malicious payload loaded by Loader class

Once this payload is loaded, the app displays a fake financial interface that looks like a real app. It prompts the user to input sensitive details such as their name, card number, CVV, and expiration date. The collected information is then sent to the attacker’s command-and-control (C2) server. After submission, the app shows a fake card management page with messages like “You will receive email confirmation within 48 hours,” giving the false impression that the process is ongoing. All features on the page are fake and do not perform any real function.

 

Figure 5. Fake card verification screen

Monero Mining Process

As mentioned earlier, one of this campaign’s key features is its hidden cryptomining functionality. The app includes a service that listens for specific FCM messages, which trigger for start of the mining process.

 

Figure 6. Firebase messaging service is declared in the manifest.

 

In the second-stage dynamically loaded code, there is a routine that attempts to download a binary file from external sources. The malware contains 3 hardcoded URLs and tries to download the binary from all of them.

Figure 7. Hardcoded URLs used by the malware to download a binary file

 

The downloaded binary is encrypted and has a .so extension, which usually indicates a native library. However, instead of loading it normally, the malware uses ProcessBuilder, a Java class for running external processes, to directly execute the file like a standalone binary.

Figure 8. Executing downloaded binary using ProcessBuilder

What’s particularly interesting is the way the binary is executed. The malware passes a set of arguments to the process that exactly match the command-line options used by XMRig, an open-source mining tool. These include specifying the mining pool server and setting the target coin to Monero.

Figure 9. XMRig-compatible arguments passed to the mining process

 

When the decrypted binary is executed, it displays log messages identical to those produced by XMRig. In summary, this malware is designed to mine Monero in the background on infected devices when it receives specific FCM messages.

Figure 10. Decrypted binary showing XMRig log messages

Recommendations and Conclusion

 

Figure 11. Geographic distribution of infected devices

Telemetry shows that most infections are concentrated in India, which aligns with the campaign’s use of Hindi language and impersonation of Indian financial apps. A small number of detections were also observed in other regions, but these appear to be limited.

What makes this campaign notable is its dual-purpose design, combining financial data theft with background cryptomining, triggered remotely via Firebase Cloud Messaging (FCM). This technique allows the malware to remain dormant and undetected until it receives a specific command, making it harder for users and defenders to detect.

To stay protected, users are strongly advised to download apps only from trusted sources such as Google Play, and to avoid clicking on links received through SMS, WhatsApp, or social media—especially those promoting financial services. It is also important to be cautious when entering personal or banking information into unfamiliar apps. In addition, using a reliable mobile security solution that can detect malicious apps and block phishing websites can provide an added layer of protection against threats like this.

Indicators of Compromise (IOCs)

Type	Value	Description
APK	2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c	SBI Credit Card
APK	b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce	ICICI Credit Card
APK	80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0	Axis Credit Card
APK	59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74	IndusInd Credit Card
APK	40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d	Kotak Credit Card
URL	https[://]www.sbi.mycardcare.in	Phishing Site
URL	https[://]kotak.mycardcard.in	Phishing Site
URL	https[://]axis.mycardcare.in	Phishing Site
URL	https[://]indusind.mycardcare.in	Phishing Site
URL	https[://]icici.mycardcare.in	Phishing Site
Firebase	469967176169	FCM Account

 

 

The post Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto appeared first on McAfee Blog.

Citing national security concerns, the U.S. Department of Commerce last June 2024 issued an immediate ban on the sale of all antivirus software by Russia-based Kaspersky Lab, Inc. in the United States or to U.S. persons. This ban also applied to Kaspersky’s affiliates, subsidiaries and parent companies, as well as to security updates that keep its protection current.

In its official statement, Kaspersky denied the allegations, proposing a “comprehensive assessment framework providing for the verification of its solutions, database updates, threat detection rules by an independent trusted reviewer.” The U.S., however, maintained the ban, warning that Kaspersky users had until September 29, 2024 to switch to new online protection software to stay protected from the latest threats.

To assist digital users with the switch, McAfee put together a quick Q&A to shed light on the pertinent points of the ban and help Kaspersky users find alternative online protection software.

FAQs: The Kaspersky and switching to a new security suite

Did the U.S. government ban the sale of Kaspersky?

Yes. The U.S. Department of Commerce issued a Final Determination, asserting that:

“The Department finds that Kaspersky’s provision of cybersecurity and anti-virus software to U.S. persons, including through third-party entities that integrate Kaspersky cybersecurity or anti-virus software into commercial hardware or software, poses undue and unacceptable risks to U.S. national security and to the security and safety of U.S. persons.”

(i) This news follows the 2017 ban on using Kaspersky software on government devices.

(ii) That ban alleged that Russian hackers used the software to steal classified materials from a device that had Kaspersky software installed.

(iii) Kaspersky has denied such allegations.

Why did the U.S. ban Kaspersky software?

The U.S. government enacted the Kaspersky ban, citing significant national security risks, as Kaspersky software has ties with Russia. U.S. officials are concerned that the Russian government could legally compel Kaspersky to provide sensitive data about its American customers or use its antivirus software’s deep system access to conduct espionage or launch cyberattacks. Antivirus software, by its nature, requires privileged access to a computer’s files, applications, and network traffic, making it a powerful tool if compromised.

This decision began in 2017 when Kaspersky software was initially banned from U.S. federal government systems. In June 2024, the Department of Commerce expanded this prohibition to all U.S. consumers and businesses, halting new sales and critically ending software updates after September 2024. For everyday users, this means the software will no longer be able to protect against new threats, making it imperative to find a secure alternative.

What global actions were undertaken against Kaspersky software?

The Kaspersky software ban in the United States is part of a larger trend of similar warnings and restrictions from several governments. For example, Germany’s Federal Office for Information Security warned consumers against using Kaspersky products shortly after the 2022 invasion of Ukraine, citing the risk of the Russian IT solutions provider being used for hostile actions. Similarly, Lithuania and the Netherlands phased out the software from their government and critical infrastructure systems, citing similar national security concerns. As a result, international travelers and remote workers using Kaspersky could be left digitally unprotected when connecting from countries with active warnings.

What are the alleged security risks linked to Kaspersky Software?

The fundamental Kaspersky software issues cited by security experts and government bodies go beyond simple software bugs. The primary risks for users include:

• Potential for government exploitation: The main concern is that the Russian government could force Kaspersky to cooperate in malicious activities, such as accessing sensitive user data or deploying malware through its updates. This poses serious risks to both privacy and national security.
• Cessation of security updates: Because all Kaspersky software updates for U.S. users were set to stop on September 29, 2024, users of the software would not receive daily patches, exposing their devices and information to viruses, ransomware, and other evolving cyber threats.
• Privileged system access: Antivirus software integrates deeply into your operating system to protect you. If the software itself is compromised, this deep access becomes a powerful point of entry for attackers to steal information, monitor your activity, or take control of your device.
• Supply chain integrity: The U.S. Commerce Department has identified the software’s supply chain as an unacceptable risk, because the process of creating and delivering the software could be compromised, potentially embedding vulnerabilities before it even reaches your computer.

Will I need new online protection software to replace Kaspersky software?

Yes. In addition to barring new sales or agreements with U.S. persons from July 20, 2024, the ban also applies to software updates. Like all online protection software, updates protect users from the latest threats. Without updates, the software leaves people increasingly vulnerable over time. The update part of the ban took hold on September 29, 2024, giving Kaspersky users roughly three months to get new online protection.

Is Kaspersky safe to use in 2025?

No, it is not safe to use Kaspersky software in the U.S., especially after the September 29, 2024 termination of security updates. Cybercriminals constantly create new malware, and without patches, your software will be unable to detect or block these emerging threats, making your computer an easy target for viruses, ransomware, and identity theft. Given this, the clear and urgent recommendation is to uninstall Kaspersky and switch to a trusted security provider to ensure your protection is not interrupted.

How do I remove Kaspersky software?

Removing any type of antivirus depends on your device. The links below lead to the following support pages that can walk you through the process:

• Windows

• Mac OS

• iOS/iPadOS

• Android

Use the official removal tool for a clean uninstall

For a truly clean slate, we recommend using the official Kaspersky Removal Tool, also called “Kavremover.” Standard uninstallation can leave behind residual files, drivers, and registry keys that might conflict with your new security software. This complete Kaspersky removal guide ensures everything is gone.

To start, search for and download the Kavremover tool from Kaspersky’s official support website. For best results on a Windows PC, restart your computer in Safe Mode to ensure no Kaspersky processes are running. Then, simply run the tool, accept the terms, and let it automatically detect and remove all traces of the software. A final restart after the tool finishes will complete the process, leaving your system ready for a new, trusted antivirus solution.

What features should I consider when looking for online protection?

Today, you need more than antivirus to keep you safe against the sophisticated threats of today’s digital age. You need comprehensive online protection that secures your devices, identity, and privacy against hackers, scammers, and thieves.

Comprehensive also means your software continues to evolve, proactively rolling out new features as new threats appear, such as:

• Text scam detector that protects you against the latest scams via text, email, QR codes, and social media. Should you accidentally click, web protection blocks sketchy links that crop up in searches and sites.
• Social privacy manager that helps you adjust more than 100 privacy settings across your social media accounts in a few clicks. Aside from YouTube, we also protect privacy on TikTok, making us the first service to protect users on that platform. That means we now cover the top two platforms that teens use, TikTok and YouTube.
• AI-powered protection. Our U.S.-based, AI-driven award-winning protection blocks the latest threats while providing 3x faster scans with 75% fewer processes running on the PC, as tested by independent labs like AV-Comparatives.

A trusted, integrated alternative

Our solution offers you and your family a single, easy-to-use protection that effectively blocks malware and zero-day attacks; system performance that ensures protection without slowing down your computer; privacy policies that scrutinize how websites handle your data; and overall features for value, including tools like virtual private networks, identity monitoring, and password managers.

Just as importantly, trust is paramount when choosing from software alternatives. As a U.S.-based company with over 30 years of cybersecurity leadership, McAfee goes beyond traditional antivirus solutions with AI-powered threat detection and a comprehensive suite of tools to protect your identity and privacy.

How do I stay protected after removing Kaspersky?

Once you have uninstalled Kaspersky, it is crucial to take immediate steps to secure it. Follow this checklist to ensure your digital life remains safe:

• Consider a trusted security solution: Choose one that gives you a reliable, proven, and comprehensive suite of tools to protect your identity and privacy,
• Install your chosen security suite: Your top priority is to install one of the reliable software alternatives, like McAfee Total Protection. This immediately restores your defense against viruses, malware, and other online threats.
• Activate built-in OS protections: While you install your new software, ensure your device’s native security features, such as Windows Security or macOS’s XProtect, are enabled as a temporary safety net.
• Update everything: Make sure your operating system (Windows, macOS, Android, iOS) and all of your applications are fully updated. These updates often contain critical security patches that protect against known vulnerabilities.
• Run a new system scan: After installing your new security software, perform a complete system scan to ensure no threats were missed during the transition period.
• Backup your important data: Proactively and regularly back up your critical documents, photos, and other files to a secure cloud service or an external hard drive.
• Enable multi-factor authentication (MFA): Add an extra layer of security to your important online accounts, such as email and banking, by enabling MFA.
• Use a password manager: Secure your accounts with strong, unique passwords for every site, managed easily through a password manager.
• Schedule regular scans: Configure your new security software to run regular, automatic scans to maintain ongoing protection.

Will I get a refund for my Kaspersky subscription?

You will need to contact Kaspersky customer support directly to inquire about their refund policy in light of the ban. Policies can vary, so checking with the source is the best course of action.

What happens if I don’t make the switch?

The U.S. government strongly recommends switching immediately due to the identified national security risks. In addition, not switching or installing a new online security solution leaves you unnecessarily exposed. It is far safer to make the switch.

Can I run two antivirus programs at once?

No, you should never have two antivirus programs installed on one device. There is a possibility that they will conflict, causing system slowdowns, crashes, and can even lower your overall security. Always fully uninstall one before installing another.

What about my data that Kaspersky has already collected?

This is a key element of the concerns surrounding the ban. While it’s impossible to retrieve data that has already been collected, you can prevent any future collection by immediately uninstalling the software. Choosing a new security provider with a transparent, user-first privacy policy is the best way to safeguard your data going forward.

Will my new security software import my old settings?

No, security settings are not transferable between different antivirus brands. You will need to configure the settings, such as scheduled scans or parental controls, within your new software. Modern suites like McAfee make this process simple and intuitive.

Final thoughts

The Kaspersky software ban implications extend beyond just one company; it’s a powerful reminder that online security is a continuous journey, and that staying protected means being proactive.

Make it a habit to regularly review the software that protects your digital life, stay updated on the latest security news, and practice safe online behaviors. Your security is in your hands. By choosing trusted partners and staying informed through reliable resources like the McAfee Blog, you can navigate the digital world with confidence.

We hope you’ll strongly consider McAfee as you look for a safe and secure replacement for Kaspersky software. Our decades-long track record of award-winning protection and the highest marks from independent labs speaks to our commitment to protecting you and the global online community.

The post The Kaspersky Software Ban—What You Need to Know to Stay Safe Online appeared first on McAfee Blog.