Fake Avast Phishing Site Steals Credit Card Data in Sophisticated Scam Cybercriminals have deployed a highly convincing phishing campaign targeting French-speaking users by impersonating Avast’s official website. The fraudulent page, nearly indistinguishable from the legitimate site, displays a fake €499.99 charge for an Avast product, complete with dynamic timestamps that update to match the visitor’s system time. The scam employs psychological pressure, claiming users have only 72 hours to cancel while simultaneously stating transactions older than 48 hours cannot be reversed. The site’s "refund form" harvests sensitive data, including full names, addresses, and credit card details (number, expiry, and CVV). To appear authentic, it validates card numbers using the Luhn algorithm before transmitting stolen information to the attackers’ server via a send.php script. After submission, victims see a deceptive confirmation message and a prompt to "uninstall Avast," further eroding security defenses. Adding to the deception, the site includes a live chat widget (Tawk.to ID: 689773de2f0f7c192611b3bf), allowing operators to interact with victims in real time, guiding them through the fraudulent process. The scheme targets multiple victim profiles legitimate Avast customers, confused users, and opportunists without requiring account verification or license keys. The campaign was identified by Malwarebytes, highlighting the risks of phishing tactics that exploit trusted brands and urgent financial alerts. No actual charges occur; the goal is solely to extract payment details under the guise of a refund.

A malware campaign has been discovered targeting systems using a vulnerable Avast Anti-Rootkit driver. This driver allowed malware to disable security tools and assume control over the system. The compromise affected various security products from multiple companies, with the malware utilizing kernel-level access to terminate security processes. Organizations were advised to instate protections against BYOVD (Bring Your Own Vulnerable Driver) tactics, which use legitimate but compromised drivers to evade detection. Indicators of compromise have been provided to assist in thwarting such attacks, highlighting the importance of protecting systems against kernel-level threats posed by flawed security drivers.

Avast successfully developed a decryptor for the DoNex ransomware family, identifying a flaw that allowed victims to recover their files without charge. Previously known as Muse and DarkRace, DoNex, which emerged in April 2022, targeted individuals and organizations, causing disruptions mainly in the US, Italy, and Belgium. By encrypting files with a ChaCha20 symmetric key and further securing the symmetric file key with RSA-4096 encryption, the ransomware demanded a ransom for file decryption. Avast’s decryptor has been distributed in secrecy since March 2024, in collaboration with law enforcement, to avoid alerting the ransomware authors. The company also provided the public with Indicators of Compromise to help identify and mitigate this security threat.

In May 2014, the Avast anti-virus forum was hacked and 423k member records were exposed online. The Simple Machines Based forum included usernames, email addresses and password hashes of about 422,959 individuals.