Today, we are proud to announce a significant leap forward in communication security with the release of the enhanced Gridinsoft Email Security Checker.

Not Just a Check, But a Full Audit

We have moved beyond simple syntax validation to a comprehensive 4-Pillar Security Audit. This new engine is designed to provide deep intelligence on every email you analyze, giving you a definitive verdict on whether a message is safe to engage with.

1. Real-Time Technical Verification

Our engine now performs deep-level MX record analysis and SMTP simulation. We don’t just check if the domain exists; we verify if the mailbox is physically active and ready to receive mail, identifying “ghost” accounts often used in automation.

2. AI-Powered Content Analysis

The heart of the upgrade is our new AI analysis engine. By scanning the message body for subtle phishing patterns, social engineering tactics, and fraudulent link structures, our AI provides a contextual safety score. It doesn’t just look for bad words; it understands the intent of the sender.

3. Global Threat Intelligence

Connected to real-time spam blacklists (DNSBL), the checker cross-references every sender against millions of known malicious records. If a sender has a history of fraud, you’ll know instantly.

4. Infrastructure & Reputation Auditing

Scammers often hide behind “burner” or disposable email addresses. Our enhanced detection identifies these high-risk providers and evaluates domain intelligence (like domain age) to flag suspicious “newborn” domains often used in targeted attacks.

A Visual, Actionable Report

Safety shouldn’t be technical or confusing. Our redesigned report provides:

• Clear Verdicts: Instant color-coded headers (SAFE, SUSPICIOUS, or DANGEROUS).
• Security Scorecard: A transparent breakdown of the four pillars.
• Actionable Advice: Direct recommendations like “Safe to reply” or “Do not click links.”

Global Protection, Total Privacy

Gridinsoft is committed to a safer internet for everyone. That’s why the new Email Checker is:

• Fully Localized: Available in 7 languages (English, Ukrainian, Spanish, Portuguese, German, French, and Chinese).
• Zero-Tracking: We do not store your message content or track your identity. Every check is strictly anonymous and processed over secure SSL/TLS channels.

The post Beyond Validation: Announcing the Gridinsoft Email Security Checker Upgrade appeared first on Gridinsoft Blog.

Analysis of domains like 750ge.com, Ggfn.us (you can find more here and here) reveals standard phishing techniques combined with malware distribution mechanisms. The sites exploit Fortnite’s popularity to target users who want free premium content, using social engineering tactics similar to Roblox scams and other online fraud schemes.

Threat Summary

Analysis of domains like 750ge.com, Ggfn.us (you can find more here and here) reveals standard phishing techniques combined with malware distribution mechanisms. The sites exploit Fortnite’s popularity to target users who want free premium content, using social engineering tactics to bypass security awareness.

Epic Games has confirmed that no legitimate V-Bucks generators exist outside their official platforms. Any site claiming otherwise is operating a fraud scheme that poses significant security risks to users.

Technical Analysis of V-Bucks Generator Operations

V-Bucks generator sites follow a standardized attack pattern designed to maximize data collection and malware distribution. The process typically involves four stages: initial attraction, credential harvesting, verification exploitation, and payload delivery.

Stage one uses current Fortnite branding and references to recent game updates to establish credibility. Sites often copy official Epic Games visual elements and use domain names that suggest legitimacy while avoiding direct trademark infringement.

Stage two collects user identifiers including Fortnite usernames, platform selections, and desired V-Buck amounts. This data serves multiple purposes: account targeting for future attacks, platform-specific malware selection, and psychological commitment techniques that increase completion rates.

Stage three implements “human verification” mechanisms that serve as delivery vectors for malicious content. These include forced mobile app installations, survey completions that harvest personal information, social media sharing requirements that spread the scam, and direct credential capture attempts.

Stage four delivers the actual payload, which varies by target platform and user value assessment. High-value targets may receive banking trojans or cryptocurrency stealers, while general users typically encounter adware or basic information stealers.

Technical Analysis: JavaScript Tracking Infrastructure

Analysis of the 750get.com JavaScript code reveals tracking mechanisms. The site uses immediately invoked function expressions (IIFE) to inject tracking pixels and affiliate identifiers without user knowledge:

(function () {var it_id=4415856;var html="...

The identifier `4415856` appears across multiple domains including both 750get.com and ggfn.us, confirming these sites operate as part of a coordinated criminal network. This shared affiliate tracking code demonstrates centralized infrastructure management, revenue attribution systems, and organized distribution of compromised user data among network participants.

Cross-domain analysis reveals identical JavaScript implementations across the scam network:

// Found on both 750get.com and ggfn.us
(function () {var it_id=4415856;var html="...

This code replication indicates professional criminal operations with standardized tracking infrastructure, shared revenue models, and coordinated technical deployment across multiple domains. The consistent affiliate ID usage allows network operators to track user interactions across different entry points and attribute successful compromises to specific campaign sources.

V-Bucks Infrastructure and Generation Impossibility

External websites cannot interact with Epic Games’ V-Bucks API because it requires authenticated access through Epic’s OAuth 2.0 implementation, CSRF tokens, and validated payment processor integration. Third-party sites lack the necessary certificates, API keys, and server-side authentication required for legitimate V-Bucks transactions.

Epic’s official documentation specifies four legitimate acquisition methods: direct purchase through authorized platforms, Fortnite Crew subscription, Battle Pass progression rewards, and Save the World mode earnings. All methods require authenticated transactions through Epic’s payment processing system.

Security Risks and Attack Vectors

V-Bucks generator sites present multiple attack vectors targeting user accounts, devices, and personal information. Account compromise occurs through credential theft, session hijacking, and authentication bypass techniques that allow unauthorized access to Epic Games accounts and associated payment methods.

Malware distribution happens primarily through the verification stage, where users download mobile applications or browser extensions containing information stealers, banking trojans, and cryptocurrency wallet extractors. Common families include Stealer-type malware targeting browser credentials, AutoFill data, and local wallet files.

What makes these scams particularly dangerous is how much personal information they collect. Beyond obvious details like your name and email, they’re harvesting your gaming habits, spending patterns, and even information about your friends and family. This data gets sold on dark web marketplaces where criminals pay premium prices for gaming-focused profiles—especially those belonging to young users with access to parents’ payment methods.

These criminal networks don’t just rely on fake websites. They also plant malicious ads on legitimate sites, exploit security holes in web browsers, and even hijack internet traffic to redirect you from real gaming sites to their fake ones. You might think you’re visiting Epic Games’ official website, but end up on a convincing replica designed to steal your login credentials.

Technical Indicators and Domain Analysis

Scam identification relies on specific technical indicators rather than subjective assessment. Domain analysis reveals patterns in DNS registration, SSL certificate authorities, and hosting infrastructure that distinguish legitimate services from fraudulent operations.

Real V-Bucks can only come from a handful of places: Epic Games’ own websites, your console’s official store, or verified app stores like Google Play and the App Store. That’s it. Any other website claiming to sell or give away V-Bucks is lying—they simply don’t have the technical access to Epic’s payment systems that would make this possible.

Infrastructure analysis shows scam sites typically use shared hosting services, generic SSL certificates from free authorities, and domain registrations through privacy services that hide owner information. Legitimate gaming services use dedicated hosting, Extended Validation certificates, and transparent business registration.

URL structure examination reveals additional indicators: legitimate platforms use consistent subdomain patterns, HTTPS enforcement, and standardized API endpoints. Scam sites often employ URL shorteners, mixed HTTP/HTTPS protocols, and randomized path structures to evade detection.

Network behavior analysis shows scam sites frequently redirect users through multiple domains, implement anti-analysis techniques like user-agent filtering, and serve different content based on geographic location or referrer information.

Legitimate V-Bucks Acquisition Methods

Epic Games implements four authenticated V-Bucks acquisition channels, each with specific technical requirements and transaction verification processes. All legitimate methods require authenticated API calls to Epic’s payment processing system with valid user tokens and platform-specific payment verification.

Direct purchase transactions occur through Epic’s payment API integration with authorized payment processors including PayPal, Stripe, and platform-specific billing systems. Transactions require two-factor authentication, encrypted payment token validation, and real-time fraud detection before V-Bucks allocation to user accounts.

Fortnite Crew subscriptions utilize recurring billing APIs that automatically process monthly payments and distribute 1,000 V-Bucks plus Battle Pass access through Epic’s subscription management system. The subscription service validates payment status before each monthly V-Bucks distribution.

Battle Pass V-Bucks distribution happens through Epic’s progression tracking system, which validates challenge completion against server-side records before releasing V-Bucks rewards. The system typically provides 1,300-1,500 V-Bucks for completed Battle Pass progression, requiring 950 V-Bucks initial investment.

Save the World mode V-Bucks generation operates through Epic’s PvE progression API, tracking daily login streaks, mission completions, and achievement unlocks. This system validates user progress against anti-cheat systems before distributing V-Bucks rewards through the same secure API used for purchases.

The Broader Gaming Scam Ecosystem

V-Bucks generators represent just one facet of a larger criminal ecosystem targeting gamers. Similar scams exist for virtually every popular game with in-game currency. Roblox Robux generators target younger players, while cryptocurrency-based games face their own unique threats.

What’s frustrating is how well these tactics work. Scammers know that gamers—especially younger ones—desperately want premium content and might take risks to get it for free. They’ve perfected the art of making fake sites look authentic, complete with stolen logos, fake testimonials, and countdown timers that create artificial urgency similar to online shopping scams.

These operations are often international, making law enforcement difficult. Scammers register domains in countries with lax regulations and use hosting providers that don’t verify customer identities. This makes shutting down individual sites a game of whack-a-mole, with new domains appearing as fast as old ones are removed—a pattern we see in Telegram scams and other evolving fraud schemes.

The financial incentives are substantial. A successful scam site can compromise thousands of accounts, each potentially worth hundreds of dollars in stolen content or unauthorized purchases. The personal information collected can be sold to other criminals, creating multiple revenue streams from a single operation. This data often ends up in InfoStealer malware databases used for identity theft and account takeovers.

Protecting Young Gamers

Parents and guardians face particular challenges protecting children from these scams. Young gamers are natural targets because they often lack the experience to recognize sophisticated deception and may not understand the consequences of sharing personal information online. Similar to sextortion scams that target young people, these gaming scams exploit trust and inexperience.

Rather than simply forbidding gaming sites, explaining the reality works better. When kids understand that V-Buck generators are literally impossible—like claiming to print real money on a home printer—they become naturally skeptical. Show them how Epic Games actually makes money (by selling V-Bucks) and why they’d never give that revenue away for free.

Setting up proper account security is crucial. Two-factor authentication should be enabled on all gaming accounts, and parents should receive notifications about account changes and purchases. Many gaming platforms offer parental controls that can limit spending and prevent unauthorized account modifications. Consider using parental control software to monitor and protect young users’ online activities.

Regular conversations about online safety help children feel comfortable reporting suspicious websites or unexpected contact from strangers. Creating an environment where children can ask questions without fear of punishment encourages them to seek help when they encounter potential threats. Teach them to recognize common scam warning signs and social engineering tactics used by cybercriminals.

The Industry Response

Gaming companies have become increasingly active in combating these scams, though their efforts face significant challenges. Epic Games regularly reports scam sites to hosting providers and domain registrars, but new sites appear faster than old ones can be shut down.

Social media platforms have implemented policies against scam advertisements, but enforcement remains inconsistent. YouTube, where many users first encounter these scams, has improved its detection of scam content but still struggles with the volume of new uploads.

The development of blockchain gaming and cryptocurrency integration has created new opportunities for scammers, who now promise free tokens and NFTs alongside traditional in-game currency. This evolution requires constant vigilance from both companies and users.

Industry cooperation has improved, with gaming companies sharing information about scam operations and coordinating responses. However, the international nature of many scam operations limits the effectiveness of legal action.

Taking Action Against Scams

Individual users can contribute to the fight against gaming scams by reporting suspicious sites and content. Epic Games provides official channels for reporting scam sites, and most social media platforms have mechanisms for reporting fraudulent content. Consider also reporting to cybersecurity organizations that track online scam patterns.

If you encounter a V-Buck generator scam, documenting and reporting it helps protect other users. Screenshots of the scam process, domain names, and any associated social media accounts provide valuable information for investigators. Share your experience on gaming forums and communities to warn others about new scam techniques.

Sharing knowledge within gaming communities helps spread awareness. When friends or family members mention “free V-Bucks” opportunities, taking time to explain why these are scams can prevent them from becoming victims. Create a culture of security awareness in your gaming groups.

Installing proper security software like Gridinsoft Anti-malware provides protection against malware distributed through scam sites. While prevention is always preferable, having tools to detect and remove malicious software provides important backup protection.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Frequently Asked Questions (FAQ)

What is a “Fortnite V-Bucks Generator” scam?

A V-Bucks generator scam is a deceptive website that falsely promises to generate free V-Bucks (Fortnite’s in-game currency) for users. These sites cannot actually generate V-Bucks—which exist only on Epic Games’ secure servers—but instead steal personal information, distribute malware, or redirect users to other scam sites. They exploit the popularity of Fortnite to target users, especially younger players who want premium content without paying.

How do V-Bucks generator scams work?

These scams typically follow a four-stage process: First, they attract users with promises of free V-Bucks using official Fortnite branding. Second, they collect user information like Fortnite usernames and desired V-Buck amounts. Third, they implement fake “human verification” steps that require downloading apps, completing surveys, or sharing personal data. Finally, they deliver malware, steal credentials, or redirect to other fraudulent sites. No actual V-Bucks are ever generated.

How did I encounter a V-Bucks generator scam?

V-Bucks generator scams are promoted through multiple channels including malicious advertisements, compromised websites, SEO poisoning that makes them appear in search results, social media spam, gaming forum posts, and potentially unwanted applications. Some users encounter them through fake CAPTCHA sites or while searching for legitimate Fortnite content.

Why can’t external websites actually generate V-Bucks?

V-Bucks are digital tokens stored exclusively on Epic Games’ secure backend infrastructure. External websites cannot interact with Epic’s V-Bucks API because it requires authenticated access through Epic’s OAuth 2.0 system, CSRF tokens, and validated payment processor integration. Third-party sites lack the necessary certificates, API keys, and server-side authentication. Only Epic Games’ official platforms can create or distribute legitimate V-Bucks.

What should I do if I fell for a V-Bucks generator scam?

If you’ve interacted with a V-Bucks generator scam, take immediate action: Change your Epic Games password and enable two-factor authentication, scan your device with reputable antivirus software like Gridinsoft Anti-malware, clear your browser data and remove suspicious extensions, monitor your financial accounts for unauthorized transactions, and consider placing fraud alerts if you shared personal information. Contact Epic Games support if you suspect your account has been compromised.

How can I protect myself from V-Bucks generator scams?

Protect yourself by understanding that V-Bucks generators are technically impossible, only purchasing V-Bucks through Epic Games’ official channels, avoiding suspicious links and advertisements, keeping your security software updated, enabling two-factor authentication on gaming accounts, and educating young gamers about these scams. Be especially wary of offers that seem too good to be true or require personal information for “verification.”

Are there legitimate ways to get free V-Bucks?

Yes, Epic Games provides several legitimate ways to earn V-Bucks: through Battle Pass progression (which provides more V-Bucks than it costs), Fortnite Crew subscription (1,000 V-Bucks monthly), Save the World mode earnings (daily login rewards and mission completions), and occasional promotional events. All legitimate methods require playing the game and are distributed through Epic’s secure systems.

What types of malware do V-Bucks generator sites distribute?

V-Bucks generator sites commonly distribute InfoStealer malware that harvests browser credentials and personal data, banking trojans targeting financial information, adware that displays unwanted advertisements, cryptocurrency miners that use your device’s resources, and ransomware in severe cases. Mobile users may encounter fake apps that request excessive permissions to access contacts, messages, and device storage.

How can I report V-Bucks generator scams?

Report V-Bucks generator scams through Epic Games’ official reporting channels, your country’s cybercrime reporting center, the hosting provider of the scam website, and social media platforms if the scam was promoted there. Include screenshots, domain names, and any associated social media accounts in your reports to help investigators track and shut down these operations.

Looking Forward

The popularity of Fortnite and similar games means V-Buck generator scams will likely continue evolving. As security awareness increases and platforms improve their detection capabilities, scammers adapt their tactics to maintain effectiveness.

Recent trends include more sophisticated social engineering, better website design, and integration with legitimate-looking payment processors. Some scams now use artificial intelligence to generate more convincing promotional content and social media profiles.

The rise of mobile gaming has created new attack vectors, with scammers developing fake mobile apps that promise free in-game currency. These apps often request extensive permissions that allow access to contacts, messages, and other sensitive information.

Education remains the most effective defense against these evolving threats. Users who understand the basic principles of how games work and why free currency generators are impossible will be protected against current scams and better equipped to recognize new variations.

Conclusion

Here’s the bottom line: V-Buck generators are a technical impossibility masquerading as free money. These sites exist solely to steal your information and infect your devices. They can’t access Epic’s servers, can’t generate real V-Bucks, and can’t deliver on any of their promises.

Epic Games has built their payment system like a digital fortress—with multiple layers of security, encrypted connections, and authentication requirements that no external website can bypass. When scammers claim they can generate V-Bucks, they’re not just lying about their product—they’re lying about basic computer science.

Protecting yourself is straightforward: understand that free V-Buck generators can’t exist, enable two-factor authentication on your gaming accounts, and run security software like Gridinsoft Anti-malware to catch any malware these sites might try to install. Stay informed about common scam tactics and teach others about these threats.

Most importantly, treat V-Bucks like real money—because they are. You wouldn’t trust a random website offering free cash, so don’t trust one offering free gaming currency. When in doubt, stick to Epic Games’ official channels and remember: if it sounds too good to be true, it’s probably designed to steal from you. For more protection strategies, check our guides on spotting digital scams, avoiding cryptocurrency fraud, and protecting against InfoStealer malware.

The post Fortnite V-Bucks Generator Scam: Why ‘Free V-Bucks’ Sites Are Dangerous appeared first on Gridinsoft Blog.

Someone Entered Correct Password For Your Account Email Scam Overview

Our security team classified “Someone Entered Correct Password For Your Account” email as a phishing scam, a form of social engineering designed to exploit users’ fears of unauthorized account access. Multiple sources confirm its prevalence and deceptive nature, and the possibility of a bad outcome for an unaware user.

An important thing to say is that the scam is not linked to any legitimate service provider, regardless of the disguise it has taken. Its main aim is to steal email login credentials through tricking users into thinking it is a legit online service who they’ve got the email from.

The message says that someone has entered your password and attempted access from an unrecognized device or IP address, which immediately scares the user and adds to the urgency of the situation. Message bodies may include fake details and images such as an IP address labeled “Secured” and a computer user name like “[Your Username]_computer”. All this is an attempt to mimic legitimate security alerts from services like Gmail or Yahoo, so unsuspecting users are more likely to fall into this trap.

How Does the Someone Entered Correct Password For Your Account Scam Work?

The main course of action of the Someone Entered Correct Password For Your Account scam takes place by the link added in the message body. To mask the real website address, fraudsters use URL shortener services, or create a hyperlink in the text. All the previously mentioned disguise is topped up with the “CLICK HERE” sign right in front of the malicious link.

This link redirects the victim to a fake login page that closely resembles the one of the service that the attackers are trying to use as a disguise. If the user enters their credentials, this data is sent straight to the scammers. One example of such a phishing domain is portfolio.cept.ac[.]in (analysis link), associated with IP address 103.229.5.70 and flagged by several security tools, including our GridinSoft Website Reputation Checker. Once cybercriminals have the login information, they can lock the user out of the account, access personal data, and use the compromised account to target others.

The data that attackers get in such a way is often exploited further. Among the most prominent examples of such a misuse is financial fraud and distributing malware – all from the name of an unsuspecting user. Attackers might also blackmail victims using personal emails, documents, or photos, which is typically false, but the tricks con actors can do with the compromised account can quickly make the victim believe their claims.

What Are the Risks?

The Someone Entered Correct Password For Your Account email itself does not pose any threat to the user until the user starts interacting with it. But if they decide to follow the instructions in the email, the risks can be quite serious. It can be unauthorized access to personal accounts (e.g., email, social media, banking), theft of sensitive data (e.g., emails, photos, documents), identity theft, financial loss, and reputational damage. Scammers can also use compromised accounts to spread malware or conduct further phishing campaigns.

For example, if credit card information was disclosed, attackers can try to withdraw money, and in quite a few cases they will succeed. If you notice any signs of identity theft, contact the Federal Trade Commission for assistance. Also, contact your bank immediately to block the card and order a new one.

I’ve got the Someone Entered Correct Password For Your Account Email, What Should I Do?

If you became a target of this scam, it’s important to respond quickly and methodically to reduce potential harm. First, don’t interact with the suspicious email – avoid clicking any links or downloading attachments. Always verify alerts by going directly to the official website of the service in question instead of using links in the email. Once logged in, check your account for any unusual activity.

If there’s any sign your account may be compromised, change your passwords immediately. Choose strong, unique passwords and consider using a password manager to help with storage and generation. Enabling two-factor authentication on all your accounts adds an extra layer of protection and can help block unauthorized access.

Beyond that, learn how to spot phishing attempts, especially those that try to create urgency or ask for sensitive information. As a rule of thumb, never open attachments or click on links from unknown or shady sources. And remember, legitimate companies usually won’t send password reset links unless you specifically requested them.

The post “Someone Entered Correct Password For Your Account” Email Scam appeared first on Gridinsoft Blog.

Bank Details Scam Overview

The “Bank Details” phishing email scam is a sophisticated social engineering attack where cybercriminals impersonate legitimate banks or companies, sending emails that request recipients to update or confirm their bank account details. These emails are designed to appear authentic, often using official logos and formatting, to deceive victims into providing sensitive information such as account numbers, passwords, or other financial data.

The primary objective is to facilitate identity theft, unauthorized transactions, or further financial fraud, leading to significant monetary losses and privacy breaches for victims. Recent research says this scam’s prevalence and noting its association with phishing campaigns that leverage attachments to redirect users to fraudulent websites. The scam’s impact can potentially lead to unauthorized online purchases, changed passwords, and identity theft. This is evidenced by various financial institution alerts, warning about similar impersonation tactics.

How It Works

The “Bank Details” scam operates by classic scheme, exploiting victim trust to a name of a well-known banking institution, and, of course, the urgency of supposed actions. Initially, scammers send an email that appears to originate from a trusted source, such as a bank, with subject lines like “Update Your Bank Details” or “Payment Information Required.”

The email content typically claims there’s an issue with the recipient’s bank account, such as discrepancies in the provided details. It often threatens consequences like account suspension if the matter is not addressed promptly. This creates a psychological pressure to act quickly, reducing critical evaluation.

These messages typically include an attachment—often a PDF labeled something like “Bank Detail Form.pdf.” This file may appear intentionally blurred, prompting users to scan a QR code or click a link to view the full content. Alternatively, it may contain a hyperlink leading to a fake website, mimicking the legitimate company’s site, such as a WeTransfer lookalike, to capture login credentials.

Once the victim enters their information, scammers capture it for misuse, including accessing accounts for fraudulent transactions or selling data on the dark web. The process is supported by technical details, such as the attachment Bank Detail Form.pdf and related domains like emailportal.preferenste[.]com.

How can I identify the scam?

You can easily identify the scam by recognizing several telltale signs, present in pretty much every single “Bank Detail” scam message. They are in fact universal for a huge number of other email scams, so let me walk you through and hit several birds with one stone.

The first red flag is unsolicited emails requesting personal or financial data. Legitimate companies rarely use email for such requests. Another red flag is urgency tactics, such as threats of account closure, are common, pressuring victims to act without verification.

Poor grammar and spelling mistakes are frequent in fraudulent emails, contrasting with the polished communications of reputable firms. Mismatched URLs, where the link does not match the official company domain, are another red flag, often detectable by hovering over links without clicking.

Generic greetings, like “Dear User,” instead of personalized addresses, and attachments from unknown sources, especially those prompting form filling, is yet another set of signs that you’re looking at a scam message. Organizations, especially banks, typically have your real name, and they have no reason to restrain from using it in official communications. Scammers, on the other hand, are naught on such details, and are thus forced to tailor their messages as generic and depersonalized as they can.

How To Stay Safe?

The main way to avoid getting trapped in a scam scheme is, in fact, following the previous section of our article. Check for all the scam signs I’ve listed, starting with verifying sender email addresses to ensure they use official domains, such as @bankname.com, and being wary of free email services, like @hotmail or @gmail. Avoid clicking links in suspicious emails; instead, visit company websites directly via bookmarks. Contact companies through known methods to verify requests, enhancing security.

Enable two-factor authentication for accounts, keep software updated with the latest security patches. Use anti-malware software with Internet Security. You may consider using GridinSoft Anti-Malware, as it has this functionality and allows you to block suspicious websites before they are loaded.

If phished, immediate action is critical: contact your bank to report the incident, change passwords for relevant accounts and monitor for unauthorized activity. Don’t forget to report suspicious emails to companies and providers, aiding broader scam prevention.

The post Bank Details Email Scam appeared first on Gridinsoft Blog.

Urgent reminder Tax Scam Targeting Microsoft Credentials

Tax season, particularly before and around the April 15, 2025, filing deadline, is a peak period for scams, as fraudsters exploit the urgency and stress associated with tax obligations. The “Urgent reminder” scam is part of this trend, leveraging social engineering tactics to deceive users into compromising their Microsoft account details. Microsoft accounts are valuable targets, providing access to emails, cloud storage (OneDrive), and other services, which can lead to identity theft or data breaches.

In brief, these emails, often automated and from the supposed “Tax Services Department,” claim users must update tax records by a specific deadline (e.g., March 16) to avoid penalties. Scanning the QR code redirects to a phishing site, which may use bot protection before prompting for Microsoft credentials, with the email pre-filled to seem legitimate. The stolen credentials could be sold on the dark web or used to access email, OneDrive, or other services, posing risks of identity theft or data breaches.

Urgent Reminder Tax Scam Mechanics

The scam begins with an email containing an attachment titled “Urgent reminder,” which is a PDF file. As I said at the beginning, this is a yearly trend, and we already have a similar theme, however this time the scammers have gone further. They use a QR code, which has advantages over a regular link, which I will talk about later. The email is often presented as an automated message with no reply option, giving it an official appearance. It claims to be from the “Tax Services Department” and states that a mandatory review and update of tax records is required by a specific date, specifically March 16, 2025, to avoid penalties or account disruptions.

Next, the user is asked to scan the QR code. Scanning the QR code leads to a phishing website, which may use redirects (e.g., via doubleclick.net) to a domain like fmhjhctk.ru, identified as a russian site. Before prompting for credentials, the site implements bot protection (CAPTCHA), such as “Verifying encryption before network,” to appear legitimate. Once past this, it pre-fills the user’s email and requests Microsoft login details, sending them to the scammer.

So, how QR code is better than a link, you ask, and I will answer now. Firstly, QR code better bypasses anti-spam systems, as it is just a picture, not a link. Secondly, it is impossible to determine where the QR code leads until you scan it. Thirdly, the chances that a person will scan a QR code, at least out of interest, are much higher than that he will follow a link. We also have a separate post that explains a lot.

Risks and Implications

How about risks, theft of Microsoft credentials poses significant risks, including unauthorized access to personal emails, financial data stored in OneDrive, and potential identity theft. Given that most people have their work linked to their Microsoft account in one way or another, an account compromise can have catastrophic consequences. From loss of access, which paralyzes workflow, to the leakage of sensitive corporate data.

In this case, the threat actor is tentatively based in Russia, which is not surprising, so this increasing the likelihood of credentials being sold on dark web markets or used for further attacks. This method, combined with pre-filled email fields, increases the likelihood of success, especially among less tech-savvy users.

How To Stay Safe?

Safeguarding yourself from the “Urgent reminder” tax scam and similar phishing threats requires a proactive approach, especially during the high-risk tax season. Never scan QR codes or click links in unsolicited emails, particularly those claiming urgent action. Instead, verify any tax-related communication directly with the IRS through their official website irs.gov or listed phone numbers. Remember, legitimate agencies won’t demand immediate action via email or text. Additionally, always inspect website URLs before entering credentials; authentic Microsoft login pages will use domains like login.live.com.

Beyond manual checks, deploying robust anti-malware software is non-negotiable in today’s threat landscape, and tools like GridinSoft Anti-Malware stand out for their comprehensive protection. It includes Internet Security features that actively block phishing attempts, malicious redirects, and suspicious domains. Its real-time scanning can detect and neutralize threats from QR code redirects or compromised PDFs before they reach your credentials, offering peace of mind against sophisticated attacks.

The post Urgent Reminder Tax Scam appeared first on Gridinsoft Blog.

Server (IMAP) Session Authentication Email Scam Overview

The “Server (IMAP) Session Authentication” email scam is classified as a phishing, scam, social engineering, and fraud threat. It targets users by falsely claiming that their email access has been restricted due to irregular activity, tricking them into taking action.

These emails are often part of widespread spam campaigns designed to make recipients follow the instructions, exposing their login information and personal data. For this, they employ phishing sites that resemble a genuine service provider page, with a sign-in form that collects all inputs. Among the examples of such sites is grandiose-dandy-actress.glitch, which is hosted at IP address 151.101.66.59.

The scam’s potential damages include loss of sensitive private information, monetary loss, and identity theft, with symptoms like unauthorized online purchases, changed account passwords, and illegal computer access. Distribution methods include deceptive emails, rogue online pop-up ads, search engine poisoning, and misspelled domains.

Mechanics of the Scam

The scam operates by sending emails claiming the security system detected suspicious activity, restricting account access, including the ability to send emails. These emails instruct users to press “CONFIRM AUTHENTICATION!” to recover access, redirecting them to phishing sites disguised as email sign-in pages. For instance, clicking the button leads to domains like grandiose-dandy-actress.glitch[.]me (VirusTotal scan report), where users enter their email address and password, inadvertently exposing their accounts.

Once credentials are stolen, scammers can hijack linked accounts, platforms, and services, stealing identities for emails, social networking, and social media. They may request loans or donations from contacts, friends, or followers, promote additional scams, and spread malware by sharing malicious files or links.

Finance-related accounts, such as e-commerce, online banking, digital wallets, and money transferring services, are particularly vulnerable, enabling fraudulent transactions and online purchases. This results in severe privacy issues, financial losses, and potential identity theft, amplifying the scam’s impact.

Why Are Such Scams Prevalent?

Paradoxically, this is not a unique fraud, but rather a massive phenomenon. Moreover, we have a separate post about a fraud that is very similar to this one, and this phenomenon has an explanation. The “Server (IMAP) Session Authentication” email scam and similar phishing schemes have surged in popularity due to their simplicity and effectiveness in exploiting human psychology. These scams rely on urgency and fear, which is a fail-safe mechanism.

Scammers craft these emails with just enough technical jargon – like “IMAP session authentication” – to sound credible, especially to less tech-savvy individuals, while keeping the structure basic enough to mass-produce. The low effort required to tweak the text slightly for each campaign, combined with the high potential reward of stolen credentials or financial access, makes this approach a go-to for cybercriminals.

Another reason for their prevalence is the sheer scale and accessibility of email as a target. With billions of email users worldwide, and the availability of mailbox addresses after multiple leaks, even a tiny success rate yields significant profits. These scams are often distributed through automated spam campaigns, reaching thousands or millions of inboxes at minimal cost.

The similarity also helps them blend into legitimate correspondence, as users are accustomed to routine account alerts from real services. Moreover, the lack of robust security awareness among many users – coupled with the persistence of legacy protocols like IMAP, which lack modern safeguards – creates a fertile ground for these scams to thrive.

Finally, the adaptability and low detection risk keep these scams in heavy rotation. Scammers can quickly alter domains, email addresses, or phishing page designs to evade filters and antivirus software, staying one step ahead of automated defenses. This efficiency explains why such scams, despite their repetitive nature, remain a staple of cybercrime in 2025.

How to Protect Against Email Scams?

To avoid falling victim to Server (IMAP) Session Authentication scams (like any other scams) it is important to pay attention to details. For example, if such an “official” notification comes from an address that ends in @gmail.com or @hotmail.com, it is a guaranteed scam. Real alerts come from addresses that end in @accounts.google.com and @microsoft.com. This is an invariable rule created to allow users to distinguish between personal accounts and corporate accounts.

The second recommendation is to use anti-malware software with Internet Security. This prevents a phishing web page from being opened and downloaded if the user clicks on a link in an e-mail. I recommend GridinSoft Anti-Malware as it does an excellent job.

The post Server (IMAP) Session Authentication Email Scam appeared first on Gridinsoft Blog.

Campaign Overview

The “Internet Fraudsters Arrested” scam operates through targeted phishing emails impersonating Spanish government entities, particularly the Supreme Court of Spain. The campaign claims recipients are entitled to €2,000,000 in compensation following the arrest of individuals who supposedly defrauded them previously. This scam is part of a larger pattern of government impersonation attacks that have increased by 35% in Q1 2025.

The primary objectives of this campaign include credential harvesting, financial fraud, and identity theft. Analysis of campaign patterns indicates connections to cybercrime groups previously observed in banking notification scams.

Technical Delivery Mechanism

The attack utilizes several technical components to bypass security controls:

• Spoofed sender addresses mimicking legitimate Spanish government domains
• Modified email headers with falsified routing information
• Embedded tracking pixels for victim monitoring
• Custom SMTP configurations designed to bypass common spam filtering rules
• HTML content obfuscation techniques

Source: Microsoft Security Intelligence, GridinSoft Threat Intelligence, 2025

Attack Sequence

The scam follows a structured attack sequence:

1. Initial contact: Unsolicited email claiming the recipient is eligible for €2,000,000 compensation
2. Authority impersonation: Use of Spanish government branding and forged headers
3. Action requirement: Instructions to contact a designated representative (typically “George Hernández” at barrjhgeorge7798@gmail.com)
4. Data extraction: Request for personal identification documents, banking details, and contact information
5. Financial exploitation: Demand for payment of fabricated fees or taxes to release the non-existent funds

Technical Indicators of Compromise

Security analysts have identified consistent indicators associated with this campaign:

Email Indicators:
- From: *@gobiernodeespana[.]com, *@courtspain[.]org (legitimate domains use .es or .gob.es)
- Subject line patterns: "Crime Fraud Investigation," "Spanish Court Notice," "Compensation Claim Alert"
- Reply-to: barrjhgeorge7798@gmail.com, barristerspain@outlook.com
- Contact name: "George Hernández," "Jorge Hernandez," "Barrister Hernández"
- Address: Avda Reina Victoria 58 - Esc. 1, 1єA 28003, Spain

Technical Patterns:
- SPF authentication failures
- Missing or invalid DKIM signatures
- Embedded tracking pixels (1x1 transparent GIFs)
- HTML content obfuscation
- Non-government mail server routing

Common Text Patterns:
"compensation of two million euros (€2,000,000)"
"contact our legal representative immediately"
"arrested internet fraudsters who previously victimized you"
"processing fee required to release the compensation"
"confidential matter requiring urgent attention"

Sample Phishing Email Examples

Below are representative examples of actual “Internet Fraudsters Arrested” phishing emails documented by our security researchers. These samples demonstrate the technical and linguistic patterns employed in this campaign.

Example 1: Basic Crime Department Variant

From: Roger Louis <tanya@simo.ru>
To: Undisclosed recipients:
Subject: From the Crime Fraud Investigation Department Spain.
Date: 3/26/2025, 8:26 PM

From the Crime Fraud Investigation Department Spain.

This is Roger Louis, United States detective working under Spanish police on Cyber Crime and Internet Fraud.

Be informed that the internet fraudsters who defraud you have been arrested and charged to court, last Friday was the final judgement, The court has ordered the Spanish Government to pay you compensation and damages for all the money you lose to those fraudsters, in which the crime are committed by South Americans and Africans living over here in Spain.

This is to notify you that The Supreme Court of Spain has ordered the Spanish Government to pay you compensation and damages, The sum of ₤2,000.000.00 {Two Million Euros } has been approved to you in order to compensate you for all the money you lose to those internet fraudsters in Spain.

The Policía Nacional Crime Fraud Investigation Department Spain is very pleased to inform you that your information has been passed to Barrister George Hernández for immediate transfer of your compensation funds from the Spanish Government.

Barrister George Hernández will help you claim your compensation fund from the Spanish Government, You should contact Barrister George Hernández on this email address below.

Contact person : Barrister George Hernández from Principal Attorney George Hernández & Asociados Corporate and Finance Law Firm Madrid, Spain.
Contact email: ( barrjhgeorge7798@gmail.com )
Contact Address- Address- Avda Reina Victoria 58 - Esc. 1, 1єA 28003

If you are interested in receiving the compensation funds ₤2,000.000.00 - Two Million Euros, You should contact Barrister George Hernández on this email address: ( barrjhgeorge7798@gmail.com ), He will direct you on how to receive your funds.

When contacting the Barrister, Please ask for his ID Card, for you to be sure you are in contact with the right person.

Thank you and Congratulation in advance

Best Regards

Roger Louis
United States detective working under Spanish police on
Cyber Crime and Internet Fraud.

Example 2: Spanish Court Notice Variant

From: Judge Manuel Gonzalez <judicial.office@tribunaldeespana.org>
To: Undisclosed Recipients
Subject: URGENT: Spanish Supreme Court Compensation Notice #REF-78591

SUPREME COURT OF SPAIN
OFICINA JUDICIAL DE MADRID
REF: SCJ/MAD/2025/COMP-78591

OFFICIAL NOTIFICATION OF COMPENSATION AWARD

This official communication is to inform you that following the successful prosecution of international cyber criminals operating from Spain, you have been identified as a victim entitled to restitution.

Case Reference: SCJ/2025/CYBER/114
Court Ruling Date: March 12, 2025
Compensation Amount: €2,000,000.00 (Two Million Euros)

The defendants, members of an organized crime syndicate operating from Barcelona and Madrid, have been successfully prosecuted for various cybercrimes including phishing, identity theft, and financial fraud targeting foreign nationals. According to our records, you were among the victims who suffered financial losses.

To initiate the compensation claim process, you must contact our appointed fiduciary officer:

CONTACT INFORMATION:
Name: Barrister Antonio Fernandez
Email: barr.fernandez.legal@outlook.com
Phone: +34 912 555 788
Reference Code: COMP-EU-78591

You will be required to provide basic verification information and complete Form SCJ-11 (Compensation Claim Form). Please note that under Spanish Law 15/2023, a processing fee of €175 is required to cover administrative costs for international transfers.

IMPORTANT: This matter is strictly confidential. Do not share this information with third parties as it may compromise the security of your compensation.

Respectfully,

Dr. Manuel Gonzalez
Chief Justice, Cyber Crimes Division
Supreme Court of Spain

Example 3: Police Department Variant

From: Inspector Carlos Moreno <c.moreno@policia-nacional-es.com>
To: Undisclosed Recipients
Subject: [OFFICIAL] Cyber Crime Victim Compensation - Reference #PCN-29875

POLICÍA NACIONAL DE ESPAÑA
DEPARTAMENTO DE DELITOS INFORMÁTICOS
Case Reference: PCN/CYB/2025/29875

VICTIM COMPENSATION NOTIFICATION

Greetings,

I am Inspector Carlos Moreno, Head of Cyber Crime Unit at the Policía Nacional of Spain.

This is to officially inform you that following Operation "Digital Shield" conducted between January-February 2025, we have successfully arrested and prosecuted a network of 17 individuals involved in international online fraud schemes.

After forensic analysis of the seized devices and servers, we have established that you were among the victims of their criminal activities. The Spanish Government, in accordance with EU Directive 2012/29/EU on victims' rights, has allocated compensation funds of €2,000,000.00 (Two Million Euros) to be paid to you.

The Royal Court of Madrid has appointed Crown Attorney Maria Lopez to handle the disbursement of these funds. To initiate your claim, please contact her directly:

ATTORNEY INFORMATION:
Crown Attorney: Maria Lopez
Email: attorney.maria.lopez.2025@gmail.com
Office Address: Calle Gran Via 42, 2B, Madrid 28013, Spain
Reference Number: PCN-2025-VIC-29875

You will be required to provide identification documents to verify your identity. Please do not delay as the compensation fund is only available for claim until May 30, 2025.

IMPORTANT NOTE: To combat potential fraud, please request to see Attorney Lopez's official identification before proceeding with any transfers or payments.

Yours faithfully,

Inspector Carlos Moreno
Badge Number: PN-87542
Cyber Crime Division
Policía Nacional de España

These examples illustrate several key technical aspects of the campaign:

• Use of false sender identities including law enforcement, judges, and barristers
• Domains that imitate Spanish authorities but use incorrect TLDs (.org, .com instead of .es or .gob.es)
• Consistent monetary value (€2,000,000) across variants
• Reference to fictitious cases, badge numbers, and legal frameworks to establish credibility
• Contact information using free email services inconsistent with government operations
• Mention of processing fees that will be requested later in the scam

Email Authentication Analysis

Examination of email headers from this campaign reveals technical anomalies that help identify these communications as fraudulent:

Key technical differences in the fraudulent emails include:

• Non-governmental email routing paths
• SPF/DKIM authentication failures
• Inconsistent return-path values
• Fabricated X-headers attempting to simulate legitimate communications
• Mixed character encoding to evade content filtering

Mitigation Strategies

Organizations and individuals should implement these technical countermeasures:

Technical Controls

• Configure email security gateways to detect and quarantine messages with known indicators
• Implement DMARC, SPF, and DKIM email authentication protocols
• Deploy anti-phishing protection with URL reputation filtering
• Enable multi-factor authentication on all accounts
• Utilize endpoint protection with behavioral detection capabilities

User Verification Procedures

Train users to verify email legitimacy by checking:

1. Full sender email address (not just display name)
2. Email domain authenticity (Spanish government domains end with .es or .gob.es)
3. Presence of unusual requests, especially involving financial information
4. Contact information through official channels rather than details provided in the email

For comprehensive protection against email-based threats including this campaign, consider implementing GridinSoft Anti-Malware with email security capabilities.

Similar Campaign Patterns

The “Internet Fraudsters Arrested” scam shares technical characteristics with other phishing campaigns:

• Chase Transfer Processing Scam – Similar email structure and extraction techniques
• FBI Monitoring Alert Scam – Parallel authority impersonation methodology
• Identity Theft Schemes – Comparable document collection procedures

These connections suggest a broader network of operations potentially sharing infrastructure and TTPs.

Impact Assessment

Victims who interact with this campaign face multiple risks:

• Financial loss: Direct monetary theft through fraudulent fees or unauthorized transactions
• Identity theft: Exposure of personal identification documents
• Account compromise: Credential harvesting across multiple platforms
• Secondary targeting: Addition to lists for subsequent attacks

Reporting Procedures

If you encounter this scam, report it through these channels:

• Forward the email to phishing-report@us-cert.gov
• File a report with the FBI’s Internet Crime Complaint Center (IC3)
• Contact your email provider’s abuse department
• Report to your national computer emergency response team (CERT)

Conclusion

The “Internet Fraudsters Arrested” campaign demonstrates how threat actors leverage authority impersonation and financial incentives to execute effective phishing attacks. By understanding the technical indicators and implementing appropriate security controls, organizations and individuals can effectively mitigate this threat.

Early detection through technical indicators combined with proactive URL verification remains the most effective defense against these increasingly sophisticated phishing campaigns.

The post Internet Fraudsters Arrested Email Scam appeared first on Gridinsoft Blog.

What are Chase – Transfer Is Processing And Will Be Deducted Email Scam Messages?

The “Chase – Transfer Is Processing And Will Be Deducted” email scam has been identified as a phishing threat. This scam is part of a broader category of social engineering attacks aimed at financial institutions’ customers, exploiting trust in well-known banks like Chase. Scammers send emails claiming a $350 transfer is about to be deducted from the recipient’s account, creating a sense of urgency.

These emails include a link to verify or stop the transfer, but clicking it leads to a fake Chase Bank login page designed to steal the user’s username and password. This can result in unauthorized access to the victim’s real account, leading to financial losses and identity theft.

Technical Details of the Scam

The “Chase – Transfer Is Processing And Will Be Deducted” scam email typically has the subject “You have a new secured message” and claims a $350 transfer is processed, set to be deducted on the next business day. It prompts the recipient to verify or stop the transfer via a link if unauthorized, threatening account termination for wrong details, and is signed by “Chase Online Service.” The linked website, historically associated with domains like boxauth[.]ru, leads to a fake Chase Bank login page. Analysis shows the serving IP address was 104.21.70.94, flagged as phishing page by quite a few online security vendors.

Research shows that while specific mentions of this scam are less prominent in recent reports, phishing attacks targeting Chase Bank customers remain a significant concern. However, the “Chase – Transfer Is Processing And Will Be Deducted” scam is not unique. We have had many similar schemes in our review, such as this one. So, given the nature of phishing, similar tactics are still in use, with scammers adapting domains and methods.

How Does This Scam Work?

The scam works by leveraging fear and urgency, which is not at all new at this point. The email creates a scenario where the recipient believes their account is at risk, prompting quick action without verification. Clicking the link leads to a phishing site, often hosted on compromised or newly registered domains, where entering credentials exposes them to scammers. These credentials can then be used for fraudulent transactions, online purchases, or selling on dark web markets, leading to severe financial and privacy issues.

If credentials are compromised, immediate action includes changing passwords for all potentially exposed accounts and informing Chase Bank’s official support. Contacting appropriate authorities, such as the Federal Trade Commission, is advised if personal information is disclosed. The consequences include unauthorized purchases, changed passwords, and identity theft, with potential monetary losses significant enough to warrant swift action.

How to Avoid?

To protect yourself, verify the sender’s email address to ensure it’s from an official Chase Bank domain, like “@chase.com.” Look for spelling or grammar errors in the email, as these are common in scams. Never click links in suspicious emails; instead, visit the Chase Bank website directly by typing the URL or using a bookmark, ensuring it has “https://” and a lock icon.

Use strong, unique passwords and enable two-factor authentication if available. Regularly check your bank account for unauthorized transactions and report suspicious emails to Chase Bank’s customer service. Remember, no one company, as well as a Chase Bank will never ask for personal information or credentials via email, so any such request is likely a scam.

In addition to all of the above, you should use reliable anti-malware software. This will be the last line of defense that will neutralize the threat if it somehow got into your system. For this purpose, I recommend using GridinSoft Anti-Malware because it meets today’s security requirements. In addition, it has an Internet Security module that can block potentially unsafe sites as well as prevent malicious attachments from being downloaded.

The post Chase – Transfer Is Processing And Will Be Deducted appeared first on Gridinsoft Blog.

Steganography Attack Overview

Steganography, the practice of hiding data within another file, is increasingly used in cyberattacks to disguise malicious code. Unlike encryption, which scrambles data to make it unreadable, steganography embeds payloads in harmless-looking files like images, videos, or audio, making them nearly invisible to traditional security tools.

This method is favored by cybercriminals for its ability to evade antivirus software, bypass email filters, and deliver payloads stealthily, often used in phishing, malware delivery, and data exfiltration. Although such attacks are currently a likely proof of concept, and require interaction with the victim, it is quite a concept. I can suggest, that these could be spear phishing attacks, mainly by state sponsored cybercrime actors.

The advantages include the ability to evade security tools by hiding malicious code inside images, allowing it to bypass antivirus and firewalls. Since there are no obvious executable files, it eliminates the risk of detection through traditional means. Its low detection rate is due to the fact that standard scans rarely inspect images for embedded malware. The payload remains hidden until extracted and executed, making delivery highly stealthy. Malicious images also bypass email filters, as they do not trigger standard phishing detections. This method is highly versatile, making it effective across multiple attack vectors.

How Doe It Work?

The researchers used the ANY.RUN sandbox as a testbed, which produced comprehensive results that will be described below.

In brief, the steganography method involves embedding the DLL payload in a JPEG image file, using a text chunk to store Base64-encoded data. The extraction process identifies a <<ВASE64_START>> flag in the hex data, followed by the encoded payload, which includes the MZ signature of an executable. In the current case, the payload is XWorm.

Now, let’s go into more detail. XWorm employs a multi-stage attack that begins with a phishing PDF named “package_photo.pdf”. This PDF contains a link hxxps://www[.]sendspace[.]com/pro/dl/vjzvj7, that tricks users into downloading requests permission to download a graphic extension to display this document. In fact, this is a .REG file named pdf_graphics.reg, which modifies the Windows registry to run a script at startup.

After reboot, the registry script triggers PowerShell, a powerful Windows scripting environment, to download a VBS (Visual Basic Script) file from a remote server. This process is visible in sandbox environments, where clicking on powershell.exe reveals the file being downloaded. The VBS file, appearing harmless, sets the stage for the next step.

An Unobvious Move

Instead of downloading an executable, the VBS script retrieves an image file. This JPEG image contains a hidden malicious DLL payload. The steganography method involves embedding the payload within the image, specifically in a text chunk, using Base64 encoding. Static analysis shows the image appears legitimate, but hex inspection reveals a <<ВASE64_START>> flag, followed by “TVq,” the Base64-encoded MZ signature of an executable file. This confirms the payload’s presence, allowing it to bypass security detection until extracted.

The final step involves executing the extracted DLL, which injects XWorm into the AddInProcess32 system process, a legitimate Windows process related to Microsoft Office. This injection helps the malware blend in, avoiding detection. Once XWorm is deployed, it provides attackers with remote access, allowing them to steal sensitive data, execute commands, and deploy additional malware. The compromised system can also be used as a launching point for further attacks.

Technical Details of Steganography Implementation

The steganography technique uses the structure of image files to conceal data. The JPEG image file, utilizes text chunks (e.g., tEXt chunks) to store arbitrary text data, including the Base64-encoded payload.

The extraction process begins by locating the <<ВASE64_START>> flag within the image file’s hex data, which marks the beginning of the encoded payload. The following Base64 data is then decoded, starting with “TVq,” which corresponds to the MZ signature (“MZ” in ASCII, with M=77 and Z=90). During decoding, Base64 characters are converted into their numerical values (T=19, V=21, q=42 in the Base64 alphabet), and bit operations reconstruct the binary data.

For example, “TVq=” may initially decode to “MJ” in some calculations, indicating partial data, but the complete payload contains the full executable signature, confirming its nature. Base64 encoding allows the payload to exist as text within the image’s metadata without affecting its visual appearance. This technique takes advantage of the fact that traditional security scans rarely inspect image metadata for malware.

How To Stay Safe?

While such attacks can take the user and anti-malware software by surprise, with news like this, anti-malware vendors will take this into consideration. So, keeping your software updated and using strong, unique passwords can reduce the risk of malware sneaking into your system through vulnerabilities or stolen credentials.

Being cautious online isn’t always enough, as advanced malware can bypass basic defenses and hide in seemingly harmless files. You should also enable two-factor authentication for all available services. For comprehensive safety, I recommend GridinSoft Anti-Malware, which offers robust scanning and real-time protection to identify and eliminate threats like XWorm before they cause harm.

The post Steganography Attack appeared first on Gridinsoft Blog.

What are Phishing Links in Browser?

Phishing links is a sneaky way attackers try to steal your information by pretending to be trustworthy, like a bank or a big company. It’s a big deal, with scams racking up over $12 billion in losses in 2023, according to the FBI’s Internet Crime Report. While this is not much different from classic phishing, the focus here is on a variant of phishing that uses a web browser.

In brief, phishing links are designed to seem trustworthy, using various tricks to hide their true nature. They might swap out familiar details with nearly identical lookalikes, hoping you won’t notice the difference. Some rely on tiny mistakes that are easy to overlook, leading you exactly where they want. Even security markers that should signal safety can be misleading, giving a false sense of trust. And sometimes, they simply overwhelm with complexity, making things look so chaotic that you don’t think twice before clicking.

Popular Phishing Practices

Phishing links operate through advanced tactics designed to exploit browser vulnerabilities and user trust. Modern phishing leverages trusted domains, URL shorteners, and legitimate SSL certificates, making detection challenging. This means attackers can make their sites appear secure, even when they’re not, by obtaining certificates from authorities. It includes several methods:

Homograph Attacks. These involve using internationalized domain names (IDNs) with characters from non-Latin scripts, such as Cyrillic or Greek, that visually mimic Latin characters. For instance, the Cyrillic “а” (U+0430) looks identical to the Latin “a” (U+0061), as noted in research from Detection Method of Homograph Internationalized Domain Names with OCR. This technique exploits the browser’s rendering to create deceptive URLs.

Typosquatting. This tactic relies on common typing errors, creating domains like “microsfot.com” instead of “microsoft.com”. It targets users who mistyped URLs, redirecting them to malicious sites.

SSL Certificate Mismatches. Phishers can obtain SSL certificates for their domains, leading browsers to display a padlock icon, suggesting security. Users must check the certificate details, accessible via the padlock, to verify the issuer (e.g., Let’s Encrypt, DigiCert) and ensure it matches the expected organization, as mismatches indicate potential fraud.

Complex URL Structures. These include unusual subdomains (e.g., “secure.login.example.com” instead of “example.com”), long random character strings, or redirect chains that obscure the final destination. Such structures are often used to bypass filters and confuse users.

Potential Risks of Phishing Links

Phishing links pose a serious cyber threat, leading to personal data theft, malware infections, financial losses, reputational damage, and large-scale data breaches. Users are often tricked into entering sensitive information on fake websites that mimic banks or online retailers. Once stolen, credentials and financial details can be used for identity theft, unauthorized transactions, or sold on the dark web, causing long-term security risks. Compromised accounts can lead to further exploitation, affecting emails, social media, and banking systems.

Clicking phishing links can also result in malware infections, with viruses, spyware, or ransomware silently installed on a user’s device. While almost all modern browsers will alert the user within a short time of detecting a malicious site, this is not instantaneous. Financial losses are another direct consequence, as stolen credit card details enable fraudsters to make unauthorized purchases or drain accounts. Ransomware attacks, often initiated through phishing emails, force victims to pay large sums to recover their data.

For organizations, phishing attacks can lead to severe reputational damage and large-scale data breaches. High-profile incidents, such as the 2015 Ukraine power grid attack, show how phishing emails can be used to infiltrate critical infrastructure. Exposed customer data, intellectual property theft, and leaked internal documents erode public trust, causing long-lasting harm to businesses and governments alike.

How To Stay Safe?

Staying safe online requires a combination of tools and best practices. One of the most effective strategies is security awareness. Keeping up with evolving phishing tactics through regular training helps users recognize and avoid sophisticated attacks, such as homograph domains or suspicious email senders. Awareness is key to developing habits that minimize risks.

Browser security settings also play a crucial role in online protection. Enabling warnings for suspicious websites, using strong and unique passwords, and relying on password managers can significantly enhance account security. These features help mitigate risks by alerting users to potential threats before they cause harm.

Another essential measure is enabling two-factor authentication (2FA). This adds an extra layer of security by requiring a second verification step, such as a code sent to a phone, in addition to a password. By making unauthorized access significantly harder, 2FA is a strong defense against account breaches.

Keeping software up to date is just as important. Regular updates for operating systems, browsers, and applications ensure that security vulnerabilities are patched before they can be exploited. Establishing clear protocols for reviewing and updating security practices helps maintain a secure browsing environment and ensures all stakeholders understand their role in preventing cyber threats.

The post Phishing Links in Browser appeared first on Gridinsoft Blog.

Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHA

A recent phishing campaign has been targeting individuals searching for documents online, aiming to steal their credit card information. This operation has been active since mid-2024 and has affected numerous users across various industries. The most impacted sectors include technology, manufacturing, and banking, particularly in North America, Asia, and Southern Europe.

The attackers abuse search engines to lure victims into accessing malicious PDF files hosted on Webflow’s Content Delivery Network (CDN). These PDFs contain fake CAPTCHA images embedded with phishing links, leading unsuspecting users to provide sensitive information.

Technical Details of the Scam

Essentially, the attack is based on search advertising, specifically the abuse of search results. The attackers exploit Webflow’s CDN to host malicious PDFs. Webflow, a popular website builder, offers CDN storage for customer assets, which in this case is misused to store harmful PDF files.

Next, Google’s algorithms come into play. When individuals search for specific keywords like book titles, documents, or charts, these malicious PDFs appear in the top search engine results. In our case, it’s assets.website-files[.]com. The PDFs are crafted with multiple targeted keywords to increase their visibility.

Upon opening, the PDF displays a fake CAPTCHA image. However, it’s just an image with a link. So, when users attempt to solve this CAPTCHA, they are redirected to a website that is protected with an actual Cloudflare Turnstile CAPTCHA. This step creates an illusion of legitimacy.

After completing this step, users are taken to a forum offering a file named after their search query. To download the document, users are prompted to sign up by providing their email address and full name. Subsequently, they are asked to enter their credit card details to complete the sign-up process. At this point, the user should be suspicious.

Once users provide this information, an error message is displayed, prompting users to resubmit their credit card details multiple times. Nevertheless, the entered data was sent to the attackers as early as the first time. Eventually, they are redirected to an HTTP 500 error page, leaving them unaware that their information has been compromised.

Where can this data go?

Stolen data has only two paths: the first is for scammers to directly try to use it, and the second is to sell it on the Darknet. Depending on the chosen option, the time of receiving a “read report” in the form of online payment attempts with the entered card will be sooner or later. If payment attempts followed almost immediately after the leak – the fraudsters decided not to bother.

On the other hand, if the attackers plan to resell the stolen data on thematic forums, there may be no feedback for a long time. Although this may suggest that nobody stole anything, I strongly recommend blocking the leaked card and reissuing it. If this is not possible, it is very important to disable the credit limit on the card as well as the ability to pay online without confirmation.

How To Stay Safe?

To avoid falling victim to such phishing scams, it is crucial to incorporate critical thinking. Be cautious if a PDF file presents a CAPTCHA, as this is unusual for PDFs and should raise a red flag. First, I strongly recommend avoiding clicking on links labeled as “Sponsored” in search engine results. These links almost always lead to malicious sites. Instead, consider use an ad blocker and a reputable anti-malware solution to enhance your protection against such threats.

Continuing about protection against such threats, I would recommend using GridinSoft Anti-Malware. Foremost, it is a reliable solution that has an Internet Security module that is designed to protect against such scams. Secondly, it is a comprehensive solution that will provide all-round protection of your system from all kinds of cyber threats.

The post Fake CAPTCHA Abuses PDF and SEO Poisoning appeared first on Gridinsoft Blog.

Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking

Researchers at Morphisec Threat Labs discovered a malicious campaign targeting Chinese-speaking audiences. Victims searching for Google Chrome are redirected to a fake website, which offers a ZIP file containing a malicious executable (“Setup.exe”).

Experts say that the attackers have intensified their focus on high-value corporate positions, particularly in finance, accounting, and sales. This indicates a shift toward targeting individuals with access to sensitive data and critical business systems, who are quite expected to be the target.

Once executed, the installer checks for administrative privileges and downloads additional payloads. These include a legitimate Douyin/TikTok executable (“Douyin.exe”), which is used for DLL sideloading. A DLL file (“Tier0.dll”) is responsible for launching ValleyRAT, while another DLL file (“Sscronet.dll”) is designed to terminate specific processes on an exclusion list.

DLL hijacking is used to execute malicious code via legitimate executables. The attacker takes advantage of signed programs that are susceptible to DLL search order hijacking. This includes popular applications like WPS Office and Tencent software, as well as game-related binaries from Steam titles such as Left 4 Dead 2 and Killing Floor 2.

ValleyRAT Details

Current sample of the ValleyRAT written in C++ and compiled in Chinese. It operates as a remote access trojan with several malicious functionalities and includes keystroke logging to record user inputs and store them in a hidden file (“sys.key”). The malware captures screen activity using Windows API functions like EnumDisplayMonitors.

To maintain persistence, it creates a hidden executable (“GFIRestart64.exe”) and adds registry entries. Additionally, it employs anti-VM detection by scanning for specific processes and system attributes to avoid analysis. The malware establishes a connection with a C2 server to receive commands, execute arbitrary binaries, and exfiltrate data.

ValleyRAT is designed to monitor and control infected systems, enabling attackers to deploy additional malicious plugins for further damage. It can install additional malware, take screenshots, log keystrokes, download or steal files, and execute commands remotely. This allows cybercriminals to spy on victims, steal sensitive data, or use compromised machines for further attacks.

New Attack Vectors

A notable change in Silver Fox’s tactics is the use of new phishing websites, such as anizom[.]com and karlost[.]club, to distribute the malware. The latter impersonates a Chinese telecom provider to increase legitimacy.

In previous campaigns, Silver Fox relied on malicious scripts (.bat and .ps1) to deploy RATs like GhostRAT and Purple Fox. The current attack demonstrates a shift towards more deceptive techniques, using fake software installers combined with DLL hijacking.

ValleyRAT injects malicious code into the legitimate Windows process “svchost.exe” to avoid detection. This is a common tactic for average malware. The malware stores its core components in an encrypted form within files like mpclient.dat.

Additionally, it evades security mechanisms by hooking critical Windows security functions such as AmsiScanString, AmsiScanBuffer, and EtwEventWrite. This effectively disables security monitoring features, making detection significantly more difficult. Given its focus on high-value corporate targets, businesses should adopt strict software download policies and monitor for unusual DLL loading behaviors to mitigate such threats.

How to Protect Against Malware?

The most effective protection against trojans is two things: vigilance during web surfing and reliable anti-malware software. In first case, it is essential for users to avoid suspicious sites like pirated content (programs, games, content) as well as online advertisements.

What about the second, anti-malware software would be the second line of defense if the first one didn’t work for some reason. I recommend considering GridinSoft Anti-Malware. Its functionality is capable of providing worthy protection from the threat and neutralize the threat before it will be downloaded and deployed.

The post Fake Google Chrome Downloading Sites Distribute ValleyRAT appeared first on Gridinsoft Blog.