A convincing fake Avast site displays a €499.99 charge and promises a refund. Instead, it harvests your name, address, and full credit card details.
A fraudulent website dressed in Avast’s brand is tricking French-speaking users into handing over their full credit card details—card number, expiry date, and three-digit security code—under the cover story of processing a €499.99 refund that was never owed to them. The operation combines live chat “support,” a hardcoded alarming transaction amount, and a convincing replica of Avast’s visual identity to create urgency and harvest payment data at scale.
The phishing page opens with what appears to be a legitimate Avast web portal. The Avast logo is loaded directly from Avast’s own content delivery network—a deliberate touch that ensures the orange-and-white shield renders perfectly and passes a casual visual check. The page header offers links to “Home,” “My Account,” and “Help,” all styled to match Avast’s real interface. Below the header, a warning box in Avast’s signature orange catches the eye: cancellation requests must be filed within 72 hours, it says.
Then, in the same breath, warns that transactions older than 48 hours “can no longer be cancelled.” The internal contradiction is easy to miss when your attention is fixed on the larger claim just below it. That claim is a transaction record showing today’s date and a debit of -€499.99. The date is not hardcoded. A single line of JavaScript reads the visitor’s local system clock and writes the current date into the page at load time.
Whenever a victim arrives, whether on a Tuesday in February or a Friday in August, the charge appears to have happened that very morning. The amount, however, is fixed. Every visitor sees exactly -€499.99, a sum carefully chosen to be large enough to provoke immediate action but not so large as to strain credibility for a software subscription. There is no real transaction. No Avast account has been accessed.
The number exists solely to make the visitor feel robbed. The cancellation form below asks for a reason for the refund (a dropdown offers “Avast refund,” “Fraudulent transaction,” “Duplicate transaction,” and “Other”), followed by a full set of personal information: first name, last name, email address, phone number, street address, city, region, and postal code. Filling in this section is framed as routine identity verification—necessary, the page implies, before any refund can be processed.
Once the form is submitted, a modal dialogue appears titled “Card Information.” The page asks for the victim’s credit card number, expiry date, and CVV security code, supposedly so the refund can be credited back to the original payment method. The page even implements Luhn algorithm validation (the mathematical check banks use to verify card numbers) so test numbers or accidental typos are rejected before submission.
Only structurally valid card numbers are accepted. When the Confirm button is clicked, the browser sends a POST request to send.php; a backend file that receives the entire payload as a JSON object. That payload contains every field the victim filled in: name, address, contact details, card number, expiry, and CVV. Below that reassuring message sits a button labeled “Uninstalling Avast”. A final social engineering nudge encouraging the victim to remove the very security software that might otherwise alert them to what has just happened.
What sets this campaign apart from many phishing pages is the presence of a real-time live chat widget embedded in the bottom-right corner of the screen. The widget is provided by Tawk.to, a legitimate customer support platform, and carries the account identifier 689773de2f0f7c192611b3bf with widget code 1j27pp82q. This means someone (almost certainly the operators of the phishing site) can see when a visitor is on the page and engage them in live conversation.
The tactical value is significant. A confused visitor who notices the timing mismatch (“72 hours” vs “48 hours”), or who hesitates before entering card details, can be nudged forward by a “support agent” offering reassurance in real time. What makes this page unusually effective is that it does not need to target a specific type of person. It is built to catch four entirely different kinds of visitor with the same form, each with a different reason to comply.
The page never has to distinguish between these visitors. It asks no questions that would reveal which profile a person belongs to. No account login, or license key, or proof of purchase. Just a charge, a form, and a card field. Refund scams like this are not limited to Avast. Any brand can be impersonated. Here are the warning signs to watch for: Spotting even one of these signs should make you stop.
Do not enter personal or financial information on a page you reached through an unsolicited message or suspicious link. Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit.
Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
Summary
This report covers the latest developments in android. The information presented highlights key changes and updates that are relevant to those following this topic.
Original Source: Malwarebytes.com | Author: Stefan Dasic | Published: February 24, 2026, 8:28 am
Leave a Reply
You must be logged in to post a comment.