Fake Google Chrome update

Chrome need to be updated. I was redircted to this phishing site after i visited \www.mywot.com\ (safe site by self). Automaticaly start downloading some dangerous file, but chrome detected it and ask me if i want accept ithis file, because is dangerous. So i declined this. Even if i download this file and don’t run it, i am stil safe? It cannot be executed by self? Anyway, is there any reason why Avast don’t detect this phishing site? And also don’t detected this dangerous file which start downloads? I don’t have any screenshot or link, I was too scared so i closed browser immediately. Thank you

Mywot site scan, it is this? Look screenshot.

are you able to copy the redirect URL and scan it at? www.virustotal.com

Post link to scan result here

I am not sure if this link is connected with this redirect or not, but you can chcek by self. Copied from Quttera. htXXps://lh6.googleusercontent.com/pvrwwt3pafvbu-88w-tfp80xutpd7xlmzm_ffpsdwxu87qdf7gjy-a62-u_e_l-69tlbo-gq=s26-h26-e365

https://www.virustotal.com/en/url/6e8c336fb00ebf3008d6f047609ab7e3541b633c730bf1538051253994a0ec61/analysis/1492613134/

Web site category by Websense ThreatSeeker > search engines and portals

Thank you, but i still don’t understand this automatic redirect from this site to phishing site and no detection from Avast. I cannot tell you if this URL is from this phishing site or not.

urlQuery > http://urlquery.net/report.php?id=1492612528937
404 error > click picture at top right to see

That phis site looks different, so it was another URL. There is no way search it again. It looks like standard google chrome download page but with very strange url.

This one is listed at PhishTank … but not the exact same

https://lh6.googleusercontent.com/-kXknkrcXcpE/VOn4DqJWHCI/AAAAAAAAAK4/trPZRy5aLJM/s284/GUARDIAO-ITAU-30-HORAS.png"

PhishTank > http://www.phishtank.com/phish_detail.php?phish_id=4599499

Yes phishing, the same Quttera, maybe is some truth about it. A reproted this URL to Avast, let’s see what they analize.

Be careful of sites claiming to update your chrome.This is the most common way to spread Locky ransomware.

Also I would like to add that most of these locky distributing websites are .top not .com or anything else. :slight_smile:

I know that it is fake… but is here any danger if i just delete downloaded file? Or it can be executed without my action? Locky is known, is already in virus database i think.

Locky is known, is already in virus database i think.
Yes / No / Maybe

Malware is not static, they update / change and release new versions to avoid detection, just like car manufacturers do to make you buy the new latest edition, face lift / new engine / new gadgets :wink:

Locky is usually well detected by avast cloud and evo-gen but it is a must to be on the lookout for something like this.

Even if it bypasses avast the behaviour shield can identify it and alert the user. :slight_smile:

Is there any way how block page redirecting? I hate if i enter on some safe site and i am immediately redirected to some malware site.

Use NortonDNS > https://dns.norton.com/

Alternative OpenDNS or GoogleDNS

And hope that anything not blocked is then blocked by avast … Nothing is 100% secure :-\

Yes it can help, but I use Chrome and this browser uses sanbox. So if i don’t run any downloaded file i am safe if i browse on internet? Even i visit malware site, until i download something i am safe?

As said, nothing is 100% and no one has yet found the impenetrable internet defence

To be 100% … dont turn on / connect your computer ;D

The usual safety measures include using adblockplus on chrome/Firefox at times it will save you if the website has a malicious ad linked to the ransom malware site.

I would say just watch out for a unknown site trying to get you to install a plugin or update.Generally these kind of ransom malware spread via .top domains.So those are the usual things to look out for. :slight_smile:

Correction: Locky is pretty dead right now.These fake update things are cerber ransom.

I use Adblock, but i was redirected anyway.