Fake Windows Update Messages in Windows 10 Edge Browser via Google Picture search (searchterm: Cosmos)

26.Nov.2021

Cybercrime, CyberSec / ITSec / Sicherheit / Security / SPAM, web

just for info: this is NOT my PC, not using Windows 10 (Windows 7 only for gaming X-D)

what the user sees is a perfectly windows fake update message, that says “Edge Update Version 94.0.4577 (official Version)” so the user thinks “this will improve security”

also the domain suggests that: “web-security-addon.xyz”

host web-security-addon.xyz
web-security-addon.xyz has address 104.21.72.149
web-security-addon.xyz has address 172.67.151.100
web-security-addon.xyz has IPv6 address 2606:4700:3032::6815:4895
web-security-addon.xyz has IPv6 address 2606:4700:3035::ac43:9764
web-security-addon.xyz mail is handled by 10 eforward2.registrar-servers.com.
web-security-addon.xyz mail is handled by 10 eforward1.registrar-servers.com.
web-security-addon.xyz mail is handled by 20 eforward5.registrar-servers.com.
web-security-addon.xyz mail is handled by 15 eforward4.registrar-servers.com.
web-security-addon.xyz mail is handled by 10 eforward3.registrar-servers.com.

but very likely does the exact opposite and installs ransomeware.

those are the moments that can bring the dataloss including loss of multiple not-so-securely saved passwords.

naive users without deeper knowledge of technology might want to click that button.

the website offering the pictures including those malware-javascript laden site is either:

hacked
or doing that on purpose

whois web-security-addon.xyz
Domain Name: WEB-SECURITY-ADDON.XYZ
Registry Domain ID: D214473533-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://namecheap.com
Updated Date: 2021-11-21T18:53:08.0Z
Creation Date: 2020-12-18T13:20:39.0Z
Registry Expiry Date: 2022-12-18T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: renewPeriod https://icann.org/epp#renewPeriod
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant State/Province: Capital Region
Registrant Country: IS
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: DAWN.NS.CLOUDFLARE.COM
Name Server: PETE.NS.CLOUDFLARE.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email:

Registrar Abuse Contact Phone: +1.6613102107
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

>>> Last update of WHOIS database: 2021-11-26T14:15:51.0Z <<< For more information on Whois status codes,
please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit
https://www.centralnic.com/support/rdap <<<

The Whois and RDAP services are provided by CentralNic, and contain
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com)

Access to the Whois and RDAP services is rate limited. For more
information, visit https://registrar-console.centralnic.com/pub/whois_guidance.

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin