Cybercriminals are employing a sophisticated phishing campaign that impersonates the cybersecurity firm Avast, aiming to harvest users’ credit card details. This alarming operation tricks victims into believing they are resolving an erroneous charge, leveraging the trusted brand of a major security vendor to bypass user skepticism and acquire sensitive payment data.
The scam operates through a meticulously crafted fraudulent website that closely replicates the authentic Avast portal. This fake site utilizes official color schemes and even loads the legitimate Avast logo from the vendor’s content delivery network, making it appear highly credible. The attack vector focuses on psychological manipulation, presenting visitors with a fabricated transaction record of a €499.99 debit. To instill a sense of urgency, the site warns that cancellation requests must be filed within 72 hours, while simultaneously stating that transactions older than 48 hours are irreversible. This deliberate contradiction is designed to exploit panicked users focused on the substantial financial loss.
Technical Mechanics of Data Capture and Evasion
This phishing campaign employs dynamic scripting to maximize its impact. Malwarebytes analysts identified a specific JavaScript line that reads the local system clock, automatically inserting the current date into the transaction record. This ensures that regardless of when a user accesses the site, the fraudulent charge appears to be recent, heightening the shock value. The campaign is designed to ensnare a diverse range of potential victims, including actual Avast customers mistakenly believing it’s a billing error, former subscribers whose accounts may have renewed unexpectedly, and even non-customers who fear identity theft upon seeing the unexpected charge.
The fraudulent page further enhances its credibility by allowing anyone to proceed directly to the harvesting forms without requiring a login or license key. This inclusive approach targets even opportunists looking to claim a refund they are not owed, casting a wide net. Once a victim submits their personal contact details, a modal dialogue explicitly requests full credit card information, including the number, expiration date, and CVV code.
To ensure the utility of the stolen data, the attackers have implemented the Luhn algorithm within the page’s JavaScript. This mathematical validation checks the structural integrity of the entered credit card number in real-time, preventing the submission of incomplete or incorrect card formats. Only valid card formats are accepted, which are then bundled into a JSON object and transmitted via a POST request to a backend file named `send.php`.
Distinctively, the site also embeds a live chat widget from Tawk.to, specifically using account identifier `689773de2f0f7c192611b3bf`. This allows the operators to engage with hesitant victims in real-time, acting as a “support agent” to nudge them toward completing the fraudulent transaction. Following the data theft, users are redirected to a confirmation page. This final social engineering tactic is intended to lull the victim into a false sense of security, potentially discouraging them from taking immediate protective measures.
.webp.jpeg)
To defend against such pervasive threats, users must recognize the clear warning signs of refund fraud. Legitimate vendors will never request a full credit card number and security code to process a refund, as they already possess the necessary transaction data. If a suspicious charge is encountered, it is crucial to navigate directly to the company’s official website, rather than clicking on links within unsolicited messages. For individuals who may have already entered their details, contacting their bank immediately to cancel the compromised card and dispute any pending charges is critical. It is also advisable to change passwords for any accounts associated with the email address provided to the scammers, as this data can increase the risk of future account takeovers.
If uncertainty persists, submitting suspicious messages to detection tools like Scam Guard for review can provide valuable insight. Furthermore, maintaining updated operating systems and applications, and running comprehensive scans with reputable security software, are essential steps to ensure no additional malware or remote access tools were introduced during interaction with such fraudulent sites. This ongoing threat underscores the importance of vigilance and education in cybersecurity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.