A new cyber threat group emerged in mid July 2024 known as Mad Liberator, and their main tactic is data theft, stealing sensitive information from victims’ systems.
The Mad Liberator group uses a cunning approach in their attacks, they understand the role of Windows updates in protecting and increasing user security, and users are unlikely to ignore any upcoming update.
Based on this principle, they set their traps using fake Windows updates aimed at stealing user data and then blackmailing them. So what are these new attacks? How do they work? And is there a way to protect themselves?
What are fake Windows updates?
The fake Windows update scam is a cunning trick where a hacker establishes a connection with the target’s computer and once they gain access to it, they display a fake Windows update screen that looks like the familiar blue screen of death, with the words Working on an update on the interface, the percentage of completion of the update, and the words Please do not turn off your computer. While the hacker displays this fake update, they are working in the background to steal the computer’s files. When the fake update is complete, they have already stolen the personal information they need, and then they hold the stolen data for ransom and threaten to publish it on the dark web if the ransom is not paid.
How does the attack happen?
Fortunately, hackers cannot carry out this attack directly; they need an intermediary program that gives them elevated permissions on the computer, after which they can execute their attack properly.
According to a report issued by security company Sophos, hackers can carry out their attack through any remote desktop program. They have often been observed using AnyDesk, a licensed and clean program that is usually used for remote desktop sharing, and allows people to connect remotely from one computer to another.
However, in this attack, the hacker starts by asking random users on the platform to establish a connection with them. In AnyDesk, this requires entering the 10-digit number associated with each user. Sophos noted that the hackers randomly extract valid numbers and do not target specific users.
If the victim accepts the hacker’s request to connect, he will gain access to his computer, and then the hacker downloads a file called Microsoft Windows Update to the targeted computer and runs it.
Here, a fake Windows Update window will appear that mimics the known real window, and it also disables the keyboard to prevent the user from interfering.
While the user waits for the fake update to complete, the hacker works through the system and steals any vital information, including access to the OneDrive account associated with the victim’s username. Once he has the files, he leaves a ransom message demanding that the victim pay within a week, or he will publish his private files on the dark web.
What to do if you are attacked?
Although this tactic sounds malicious, it is easy to counter and all you need is knowledge of its existence and how it works.
Fortunately, hackers cannot perform this attack on any computer they want; they need a remote desktop program like AnyDesk to gain the necessary permissions to carry out the hack. So, don’t worry if you don’t have any remote access programs installed on your computer.
If you do use these programs, never accept a random request to access your computer. Remember that these applications do more than just give someone control over your mouse; they can also transfer files from your computer to theirs.
It is worth noting how hackers use remote access programs to trick people. That way, if someone claims they need access to your computer to fix something, you can stop the hack before it reaches you and deny them access permissions.
In the worst case scenario, you allow them to access your computer and then you see the fake Windows update screen. If this happens, you can simply disconnect your computer from the internet, either by removing the wired network cable or turning off the router if you are connected to a Wi Fi network. This will cut off the connection between you and the hacker, preventing them from accessing your files.
Protection from fake Windows updates
Knowledge is the first step to avoiding falling victim to fake Windows updates, as well as other types of malicious attacks. Here are some tips to avoid falling victim to these insidious attacks:
Check the source: Does the Windows update prompt look different than what you’re used to? Have you enabled automatic updates? You shouldn’t see a prompt at all, so ask yourself these questions before clicking on any update. Legitimate Windows updates usually come directly from Microsoft’s official servers. Be wary of being prompted to download updates from unknown websites or sources.
Verify the origin of the update: Examine the update claim carefully, and watch for signs of fraud such as spelling mistakes, grammatical errors, and irregular design. Just because the update message looks perfect and has no spelling mistakes, that doesn’t mean it’s legitimate. But if you see an error, that could be an easy sign that it’s not the real thing.
Enable automatic updates: To reduce the risk of encountering fake update prompts, enable automatic updates for Windows. This way you will receive real updates directly from Microsoft without having to do it manually.
Use a reliable antivirus program: Install and update a reliable antivirus program. These programs can help detect and remove malicious files before they cause problems.
Back up your data: A backup is a safe haven for your data that you can retrieve whenever you want. To stay safe, back up all your business data, including data in cloud tools like Microsoft 365, to an external device or cloud storage.
If your system is compromised by malware or ransomware, you can recover your data without giving in to ransom demands.