Phishing in Disguise: Threat Actors Turning Legitimate Sites Into Antivirus Traps


Antivirus vendors have significantly been impacted by the latest phishing threats, representing a sophisticated escalation in phishing tactics. Rather than registering new domains, scammers are hacking existing legitimate websites and replacing malicious phishing pages with those that can’t be accessed directly by the original website.

Due to a lack of maintenance and security updates, antivirus vendors are simple to hack with a known attack/vulnerability. Threat actors host malicious phishing pages just beneath the trusted domains because they can take advantage of security holes in the legitimate websites.

This approach presents a double-edged threat to antivirus companies and the internet community because it subverts their security protocols and manipulates consumers’ natural faith in what has always thought to be trustworthy websites.

The Method Behind These Attacks

Exploiting CMS vulnerabilities

Content Management Systems (CMS) like WordPress, Joomla, and SaaS-based platforms like Dropbox or Drive are integral to modern digital infrastructure. However, vulnerabilities within these systems can serve as gateways for phishing attacks.

CVE-2024-21622 is a major Privilege Escalation problem, whereas CVE-2023-2453 allows for Remote Code Execution (RCE). If these vulnerabilities are not addressed, attackers can obtain unauthorized access to the CMS and execute malicious code.

It was observed that threat actors often escalate their course of action after exploiting security loopholes/vulnerabilities to an attempt to upload a web shell to gain access to the panel.

WordPress plugin forminator 1.24.6 – Unauthenticated RCE

Misconfigured DNS records

DNS misconfigurations might unintentionally allow attackers to access and take over legitimate sites or subdomains. Incorrect or outdated DNS records allow fraudsters to divert legitimate traffic to malicious websites, establishing significant security threats.

This increases phishing efficiency and may allow attackers to obtain genuine SSL certificates for these subdomains, further jeopardizing security.

Case Study: Bitdefender

Bolster’s Research Team were able to hunt down multiple scam websites where legitimate antivirus vendors were mimicked, giving direct insight into how these attacks can happen, and how businesses can in turn, arm themselves against scams.

Cybercriminals frequently register domain names that closely resemble those of well-known brands to deceive users. In this case, the scam site “bitdeefender[.]com” was created to exploit users’ knowledge of Bitdefender, a well-known antivirus software vendor.

At first sight, the minor spelling error may be missed, leading unsuspecting consumers to believe they are accessing the genuine Bitdefender website. When prospects visit the deceptive site, they are led to a valid offer hosted on the Bitdefender domain but under a unique path meant to push a false offer.

Original: bitdeefender[.]com

Redirection: bitdefender[.]com/media/html/consumer/new/2020/cl-offer-opt/?pid=50offer&cid=aff%7Cc%7Clc

A screenshot of one of the impacted websites

Campaigns Targeting Antivirus Vendors

1. Cracked versions of antivirus apps with no key required

Cybercriminals distribute cracked antivirus software while claiming no activation key is required. While cost-effective, these versions can disable security safeguards, expose users to malware, and include malicious payloads, transforming trustworthy antivirus software into trojan horses.

2. Free key available on online cybercrime forums

Cyber forums frequently distribute unauthorized antivirus keys, creating significant hazards. Using these keys is illegal and may also deceive people into downloading malware or exposing them to cyber-attacks.

3. Phishing websites

Phishing websites that imitate actual antivirus vendors may promote counterfeit antivirus software or unique bargains to deceive customers into providing sensitive information, resulting in identity theft and financial losses.


4. Fake expiration notice

Cybercriminals also fool users by sending false antivirus expiration alerts via email or pop-ups. These bogus notifications cause hasty renewals at scam sites, jeopardizing personal and financial information.

Impact and Mitigation

Conclusion: Identifying Compromised Antivirus Software

Although the quick transition to digital platforms is advantageous, it also provides opportunities for hackers who specialize in using loopholes to launch phishing attacks. Antivirus programs are essential for protecting businesses, individuals, and systems since they detect and stop phishing attempts along with many other attacks and malicious files. Threat actors can undermine the primary goal of antivirus software and attack businesses by exploiting the official antivirus providers’ websites to offer fraudulent or malicious antivirus software to evaders.

Proactive research and ongoing monitoring are essential to detect and prevent phishing sites, particularly in light of the recent emergence of novel phishing methods and strategies. Our findings also highlight the need for continuous monitoring and research on phishing sites and malicious pages on legitimate sites to identify and combat such threats preemptively.

Bolster’s AI-Security technology for anti-phishing and domain monitoring protects your business from evolving phishing threats. With continuous scanning technology that quickly identifies threats and misuse of your branded assets with trained LLM’s, you can trust Bolster will protect your business.

See Bolster in action when you request a demo.