Possible Phishing Attempt -- Heads Up--

Hey just wanted to give everyone a heads up to a possible phishing attempt/attack. Recently I just got an email that represented it was from Avast! and indicated that my subscription was running out on 25 November 2014. Five days prior to that date it indicated that they would automatically bill me for the renewal to the payment method that was on file in my account. The email stated “To review or update your subscription and payment information or to modify your auto-renewal settings,
please login to your secured Avast customer portal using the button below and the following credentials:”. It then provided me with a link to a “customer support portal”, my login user name (which was correct) and my password (which was not my avast! password). Hovering over the link did not reveal an URL that appeared to be a Avast! related URL, but rather the URL of et2.etr.im.ala, and hovering over the “contact customer service” link showed a URL of et2.etr.im.2s9.

Additionally, while my subscription renewal is coming up…it does not end on 25 November…that along with the provided incorrect password, and the wonky URLs made me suspect that it as a phishing attempt using Avast! as the “Trojan Horse”. The worrying thing is they did get my username and the fact that I’m a Avast! customer correct.

sorry the urls were et2.etr.im/ala and et2.etr.im/2s9.

A couple of months ago the avast forums were hacked. As a result some usernames were compromised.
Please use the form which suits your needs best.

This should be reported to avast immediately.

https://support.avast.com/
http://www.avast.com/contact-form.php

Thanks I looked all over but couldn’t find any way to report it to them. I was kind of getting frustrated and was going to joke in the OP that my first clue should have been the “customer service portal”…Avast! tech support…sure…customer support…not so much.

both URLs are on same IP (109.232.193.114)
https://www.virustotal.com/nb/ip-address/109.232.193.114/information/

seems to contain multiple URLs not related to avast +blacklisted and there are also malicious files uploaded to VT that try to connect to this IP

to see the websites, click picture in top right corner in these links here
http://urlquery.net/report.php?id=1414349286555
http://urlquery.net/report.php?id=1414349332648

one looks like a avast site the other looks like some french vaction website … absoultely suspicious

Thanks…the email looked pretty legit. Just noticed a couple things that were incorrect/wonky.

i guess you have already reported it … if not you may add a link to this topic

Interesting issue because that domain name Et2.etr.im uses a generic TLD and has an Unknown hosting company,
and has backlinks mainly to France. https://www.facebook.com/avast/posts/10152219917031144
Seems like an earlier watering hole attack with mail addresses found there now being abused.
With domain tools info we find our way back to Ile-the-France, Paris: http://whois.domaintools.com/etr.im
and site has WP. IP has been spreaing Kryptik and Kazy malware: https://www.virustotal.com/nl/file/bc494fbf83e3214388fb9a7a0449036bc663c96caeefba209eed9b605d006726/analysis/
and also spread Win32 Dropper-Gen via ssppsvc.ex-

polonus

Guys, calm down…

That email is coming from Nexway, an official distributor of us.

pieman99, I’ve checked your account and it is due to renew on 20 November, through Nexway :slight_smile:

Why it has a different password? Because the Order portals are managed by each distributor while the Avast account is managed by us. Hence, they are different accounts on different systems.

That’s because the correct link is a1a instead of ala

We as user community check everything, when it is safe it is secure,always better safe than sorry.
Good to hear it has clearabce now. ;D

polonus