Login
This week in scams, attackers are leaning hard on familiar brands, everyday tools, and routine behavior to trigger fast, unthinking reactions. From fake Netflix billing alerts to malicious browser extensions and QR code phishing tied to foreign espionage, the common thread is trust being weaponized at exactly the right moment.
Every week, this roundup breaks down the scam and cybersecurity stories making news and explains how they actually work, so readers can better recognize risk and avoid being manipulated.
Let’s get into it.
The big picture: Subscription phishing is resurging, with scammers impersonating Netflix and using fake billing failures to push victims into handing over payment details.
What happened: Multiple Netflix impersonation emails circulated again this month, warning recipients that a payment failed and urging them to “update payment” to avoid service interruption. The messages closely mirror Netflix’s real branding and include polished formatting, official-looking language, and even PDF attachments designed to feel like legitimate billing notices.
What makes these scams effective is timing. Victims often receive them while actively reviewing subscriptions, updating payment methods, or considering canceling services. That context lowers skepticism just enough for a quick click before slowing down to verify.
McAfee’s Scam Detector flagged the messages (which one of our own employees received this week) as phishing, confirming they were designed to steal payment information rather than resolve a real billing issue.
Red flags to watch for:
How this scam works: This is classic brand impersonation phishing. Scammers don’t need to hack Netflix itself. They rely on people recognizing the logo, trusting the message, and reacting emotionally to the idea of losing access. The attachment and clean design help bypass instinctive spam filters in the brain, even when technical filters catch it later.
Netflix has warned customers about these scams and offers advice on its site if you encounter one.
What to do instead: If you get a billing alert, don’t click. Open the Netflix app or manually type the site address to check your account. If there’s no issue there, the email wasn’t real.
The big picture: Attackers are exploiting browser crashes themselves as a social engineering tool, turning technical disruption into a pathway for malware installation.
What happened: Researchers reported a malvertising campaign promoting a fake ad-blocking browser extension called “NexShield,” which falsely claimed to be created by the developer of a well-known, legitimate ad blocker. Once installed, the extension intentionally overwhelmed the browser, causing freezes, crashes, and system instability.
After restart, victims were shown fake security warnings instructing them to “fix” the problem by running commands on their own computer. Following those instructions triggered the download of a remote access tool capable of spying, executing commands, and installing additional malware. The reporting was first detailed by Bleeping Computer, with technical analysis from security researchers.
Red flags to watch for:
How this scam works: This is a variant of ClickFix attacks. Instead of faking a problem, attackers cause a real one, then position themselves as the solution. The crash creates urgency and confusion, making people more likely to follow instructions they’d normally question. It turns frustration into compliance.
The big picture: QR codes are being used as stealth phishing tools, with highly targeted attacks tied to foreign intelligence operations.
What happened: The Federal Bureau of Investigation issued a warning about QR code phishing, or “quishing,” campaigns linked to a North Korean government-backed hacking group. According to reporting by Fox News, attackers sent emails containing QR codes that redirected victims to fake login pages or malware-hosting sites.
In some cases, simply visiting the site allowed attackers to collect device data, location details, and system information, even if no credentials were entered. These campaigns are highly targeted, often aimed at professionals in policy, research, and technology sectors.
Red flags to watch for:
How this scam works: QR codes hide the destination URL, removing the visual cues people rely on to judge safety. Because scanning feels faster and more “passive” than clicking a link, people often skip verification entirely. That moment of trust is what attackers exploit.
Read our ultimate guide to “quishing” and how to spot and avoid QR code scams here.
McAfee will be back next week with another roundup of the scams making headlines and the practical steps you can take to stay safer online.
The post This Week in Scams: Netflix Phishing and QR Code Espionage appeared first on McAfee Blog.
I don’t know about you, but I love Christmas in Australia, long summer days, the sound of cicadas at night, seafood on Christmas day, or traditional ham with roasted veggies. I just love the festive season. And I must confess that I love Christmas shopping. Yep, I’m one of those people! Once I’ve put some time and thought into what gift I’d like to give to my family members, I go online and surf for the perfect bargain, or simply to find out which retailers have the gifts I want.
But in my haste to type in an address I do make typos, and I’ve just read a report that tells me one little typo like missing the “o” in “.com” could land me somewhere I don’t want to be! This seemingly innocent misspelling in domain names is actually a criminal scheme to direct you to scam websites.
In the past, McAfee released a report that revealed .vn as the riskiest country code domain name. In 2024, the winner was .su, which stands for the former Soviet Union. Although the country is defunct, scammers continue to use this domain for phishing attacks that spread viruses and other nasties designed to cause havoc on your home computer. Certainly not what you need this Christmas. Australia’s domain “.au” is relatively safe in comparison to the rest of the web, but it certainly doesn’t mean we’re safe while surfing the wild, wild web.
Another 2024 report showed that .com, aside from being the most popular top-level domain, is now also the most abused one used in typosquatting.
As you go online to shop for holiday presents, make your banking payments, or book your holiday travel, you’ll need to be more alert about typing those domain names on the address bars to avoid being a victim of typosquatting. Here’s a more detailed look at this scam, its dangers, and what you do if you accidentally end up on a dangerous site.
Typosquatting is a cybercriminal tactic where attackers register domain names that closely resemble legitimate websites, specifically targeting common typing mistakes you might make when entering URLs. Google is the top impersonated brand, being misspelled online as goggle, closely followed by Microsoft as microsfot, and Amazon as amaz0n.
Malicious actors take advantage of the small slip-ups we all make, such as missing a letter, swapping characters, or hitting the wrong key, to redirect you to fake websites that steal your usernames, passwords, and personal information. Others may automatically download malware onto your device.
According to research in 2024, internet services are the most targeted names in typosquatting (29.2%), followed by professional services (26.09%) and online shopping websites (22.3%). The consequences can include identity theft, financial fraud, compromised accounts, and infected devices that put your entire digital life at risk.
Typosquatting thrives because it sits at the intersection of human habits and internet mechanics. Cybercriminals are banking on these small human blunders to direct you to their malicious look-alike domains, using visual tricks such as similar-looking characters or misleading subdomains. Throw in search ads and SEO that push these sites in front of us even without a typo, and you get a perfect storm for typosquatting. Once you understand the factors that allow typosquatting to flourish, you can avoid falling victim to it.
Typosquatters use a playbook of tweaks built around the typing mistakes people make. The goal is always the same: catch you in a moment of hurry and usher you to a fake page before you notice anything’s off. Being aware of these common typosquatting techniques will teach you to recognize when you might be in danger of visiting a fake website.
Typosquatting puts you at risk in several ways, one of which is that cybercriminals can steal your personal information through convincing phishing pages that look identical to legitimate sites. You might unknowingly enter your login credentials, credit card details, or other sensitive data directly into their hands.
Malware downloads represent another significant threat. Some fraudulent sites automatically install harmful software onto your device, potentially giving attackers remote access to your computer or mobile device. Payment fraud is particularly concerning when typosquatting targets banking or shopping websites, as you could complete transactions that go straight to scammers instead of legitimate businesses.
Your privacy could also suffer when malicious sites steal cookies and session data, allowing criminals to impersonate you on legitimate websites. They can access your accounts, view your browsing history, and monitor your online activities without your knowledge.
So here are my tips on how to stay safe while surfing:
Well, the number one tip goes without saying, Slip, Slop, and Slap when you’re lapping up the glorious Aussie sun, and don’t forget to reapply!
I only have one word for you: Antivirus!
Now I’ve got to admit, since starting out on this quest as Cybermum, I’ve learnt a few things, and I think one of the most important lessons has been that you can never have too much protection when it comes to your home computer. I liken having up-to-date security software to reapplying your sunscreen. Just because you loaded some security software a couple of years ago, doesn’t mean you’re safe now! You’re bound to get burnt unless you reapply, so for your computer, this means update! Check out McAfee Total Protection.
If you can end up in Cameroon surrounded by infected sites simply by missing an “o,” it’s certainly worthwhile checking your spelling before hitting the enter key!
I know I find it difficult to determine when a site is safe or not. I certainly know that my kids wouldn’t have even given it a second thought until I loaded McAfee’s WebAdvisor on our home computer. It’s pretty cool and it’s been really easy for my kids to understand as it provides a traffic light system of red, yellow and green icons to indicate a website’s risk level, so I know when my kids are surfing the net this summer they’ve got their own little traffic warden steering them away from sites that could have seen them surfing in Cameroon instead of Australia!
Aside from these key tips and the immediate steps listed above, I’ve rounded up a few other reminders to make sure you end up on a legitimate website and keep your device and information safe:
Typosquatting may seem like a small concern, but knowing its risks of typos can make a big difference in your online safety. Simple typing mistakes in domains can redirect you to malicious sites designed to steal your information or infect your devices.
To avoid becoming a victim of typosquatting, the key is for you to develop mindful habits such as bookmarking trusted sites and double-checking URLs before hitting the enter key on your keyboard, or before typing sensitive information or downloading files. Always look for secure connection indicators such as the padlock icon to confirm you’re on the correct website.
In addition, using reliable tools such as McAfee WebAdvisor and McAfee Total Protection gives you the assurance of safety while you browse, bank, and shop online. McAfee security solutions work quietly in the background, alerting you to suspicious sites and keeping you on the safe path. Share this knowledge with your family and friends, because when we’re all aware of these simple tricks that criminals use, we can all enjoy the internet more safely together.
Happy Christmas shopping and safe surfing.
The post Oh what a difference an “o” can make! appeared first on McAfee Blog.
Authored by Dexter Shin
Over the years, cyber threats targeting Android devices have become more sophisticated and persistent. Recently, McAfee Mobile Research Team discovered a new Android banking trojan targeting Indian users. This malware disguises itself as essential services, such as utility (e.g., gas or electricity) or banking apps, to get sensitive information from users. These types of services are vital for daily life, making it easier to lure users. We have previously observed malware that masquerades as utility services in Japan. As seen in such cases, utility-related messages, such as warnings that gas service will disconnect soon unless the bill is checked, can cause significant alarm and prompt immediate action from the users.
We have identified that this malware has infected 419 devices, intercepted 4,918 SMS messages, and stolen 623 entries of card or bank-related personal information. Given the active malware campaigns, these numbers are expected to rise. McAfee Mobile Security already detects this threat as Android/Banker. For more information, visit McAfee Mobile Security
As of 2024, India is the country with the highest number of monthly active WhatsApp users. This makes it a prime target for phishing attacks. We’ve previously introduced another Banker distributed via WhatsApp. Similarly, we suspect that the sample we recently found also uses messaging platforms to reach individual users and trick them into installing a malicious APK. If a user installs this APK, it will allow attackers to steal the victim’s financial data, thereby accomplishing their malicious goal.
Figure 1. Scammer messages reaching users via Whatsapp (source: reddit)
The malware we first identified was pretending to be an app that allowed users to pay their gas bills. It used the logo of PayRup, a digital payment platform for public service fees in India, to make it look more trustworthy to users.
Figure 2. Malware disguised as gas bills digital payment app
Once the app is launched and the permissions, which are designed to steal personal data such as SMS messages, are granted, it asks the user for financial information, such as card details or bank account information. Since this malware pretends to be an app for paying bills, users are likely to input this information to complete their payments. On the bank page, you can see major Indian banks like SBI and Axis Bank listed as options.
Figure 3. Malware that requires financial data
If the user inputs their financial information and tries to make a payment, the data is sent to the command and control (C2) server. Meanwhile, the app displays a payment failure message to the user.
Figure 4. Payment failure message displayed but data sent to C2 server
One thing to note about this app is that it can’t be launched directly by the user through the launcher. For an Android app to appear in the launcher, it needs to have “android.intent.category.LAUNCHER” defined within an <intent-filter> in the AndroidManifest.xml. However, since this app doesn’t have that attribute, its icon doesn’t appear. Consequently, after being installed and launched from a phishing message, users may not immediately realize the app is still installed on their device, even if they close it after seeing messages like “Bank Server is Down”, effectively keeping it hidden.
Figure 5. AndroidManifest.xml for the sample
In previous reports, we’ve introduced various C2 servers used by malware. However, this malware stands out due to its unique use of Supabase, an open-source database service. Supabase is an open-source backend-as-a-service, similar to Firebase, that provides PostgreSQL-based database, authentication, real-time features, and storage. It helps developers quickly build applications without managing backend infrastructure. Also, it supports RESTful APIs to manage their database. This malware exploits these APIs to store stolen data.
Figure 6. App code using Supabase
A JWT (JSON Web Token) is required to utilize Supabase through its RESTful APIs. Interestingly, the JWT token is exposed in plain text within the malware’s code. This provided us with a unique opportunity to further investigate the extent of the data breach. By leveraging this token, we were able to access the Supabase instance used by the malware and gain valuable insights into the scale and nature of the data exfiltration.
Figure 7. JWT token exposed in plaintext
During our investigation, we discovered a total of 5,558 records stored in the database. The first of these records was dated October 9, 2024. As previously mentioned, these records include 4,918 SMS messages and 623 entries of card information (number, expiration date, CVV) and bank information (account numbers, login credentials like ID and password).
Figure 8. Examples of stolen data
The initial sample we found had the package name “gs_5.customer”. Through investigation of their database, we identified 8 unique package prefixes. These prefixes provide critical clues about the potential scam themes associated with each package. By examining the package names, we can infer specific characteristics and likely focus areas of the various scam operations.
| Package Name | Scam Thema |
| ax_17.customer | Axis Bank |
| gs_5.customer | Gas Bills |
| elect_5.customer | Electrical Bills |
| icici_47.customer | ICICI Bank |
| jk_2.customer | J&K Bank |
| kt_3.customer | Karnataka Bank |
| pnb_5.customer | Punjab National Bank |
| ur_18.customer | Uttar Pradesh Co-Operative Bank |
Based on the package names, it seems that once a scam theme is selected, at least 2 different variants are developed within that theme. This variability not only complicates detection efforts but also increases the potential reach and impact of their scam campaigns.
Based on the information uncovered so far, we found that the malware actor has developed and is actively using an app to manage the C2 infrastructure directly from a device. This app can send commands to forward SMS messages from the victim’s active phones to specified numbers. This capability differentiates it from previous malware, which typically manages C2 servers via web interfaces. The app stores various configuration settings through Firebase. Notably, it utilizes Firebase “Realtime Database” rather than Firestore, likely due to its simplicity for basic data retrieval and storage.
Figure 9. C2 management mobile application
Based on our research, we have confirmed that 419 unique devices have already been infected. However, considering the continual development and distribution of new variants, we anticipate that this number will steadily increase. This trend underscores the persistent and evolving nature of this threat, emphasizing the need for careful observation and flexible security strategies.
As mentioned at the beginning of the report, many scams originate from messaging platforms like WhatsApp. Therefore, it’s crucial to remain cautious when receiving messages from unknown or uncertain sources. Additionally, given the clear emergence of various variants, we recommend using security software that can quickly respond to new threats. Furthermore, by employing McAfee Mobile Security, you can bolster your defense against such sophisticated threats.
APKs:
| SHA256 | Package Name | App Name |
| b7209653e226c798ca29343912cf21f22b7deea4876a8cadb88803541988e941 | gs_5.customer | Gas Bill Update |
| 7cf38f25c22d08b863e97fd1126b7af1ef0fcc4ca5f46c2384610267c5e61e99 | ax_17.customer | Client Application |
| 745f32ef020ab34fdab70dfb27d8a975b03e030f951a9f57690200ce134922b8 | ax_17.number | Controller Application |
Domains:
Firebase:
The post A New Android Banking Trojan Masquerades as Utility and Banking Apps in India appeared first on McAfee Blog.
FreshRSS