Avoid getting scammed by websites displaying "Firewall Spyware Alert"

What is the "Firewall Spyware Alert"?

"Firewall Spyware Alert" is the name of a technical support scam, which is promoted through various highly untrustworthy sites. There are several versions of this online scheme, yet thematically they are identical. The primary differences are visual, and there are slight variations on the fake messages.

Essentially, these scams claim that users' devices have been infected with spyware and/or other viruses, and urge them to establish contact with the scammers by calling the provided telephone numbers. The "Firewall Spyware Alert" scam is disguised as an alert from Microsoft (or its products).

It must be emphasized that none of the information provided by this scheme is true, and it is in no way associated with the real Microsoft Corporation. Tech support scams aim to gain and subsequently abuse victims' trust - to generate profit at their expense.

These schemes pose a serious threat to device and user safety. Typically, users enter deceptive websites via mistyped URLs, or redirects caused by intrusive advertisements or installed PUAs (Potentially Unwanted Applications).

When users access webpages running the "Firewall Spyware Alert" scam, they are presented with multiple pop-up windows. The text in the pop-ups claims that the system has been infected with firewall/trojan spyware, and as a result - the device is currently blocked.

The nonexistent threat can be specified as error "#0x268d3(x7)", "#x00082dfo09d", or something similar.

These windows can include brief infection/virus descriptions, results of fake system scams, potential threat lists (e.g., exposed email credentials, banking passwords, social media accounts, stored pictures and documents, etc.), and so on.

Throughout the messages, users are told to call the fake "helplines" in order to remove the alleged threats and recover access to their device.

Technical support scams begin when the numbers they promote are called, yet how they progress from that point differs. The main source of revenue are the exorbitant fees for the scammers' "services". Typically, they attempt to gain remote access to the victims' devices.

From then on, they can run fake system scans, perform bogus malware removal processes, uninstall genuine protection tools, install fraudulent anti-viruses (which require purchase), infect the system with real malware (e.g., trojans, ransomware, cryptominers, etc.), extract sensitive/private information, and so forth.

Scammers often infiltrate Remote Access Trojans (RATs) into their victims' systems, through which they can ensure (potentially indefinite) remote access and control over the computers.

Vulnerable data can be extracted from the victims by tricking them into revealing it, entering the information into phishing websites (e.g., disguised as online banking log-in pages, fake payment gateways, etc.), or via data-stealing malware.

Information of interest includes (but is not limited to): names, addresses, telephone numbers, emails, various account/service/platform log-in credentials (i.e., IDs, usernames, and passwords), banking account details, credit card numbers, etc. Scammers usually request the victims to pay in digital currencies (e.g., cryptocurrencies, pre-paid vouchers, gift cards, etc.), which are difficult/impossible to trace and/or refund.

In many cases, successfully scammed victims are targeted repeatedly.

To summarize, by trusting the "Firewall Spyware Alert" scam, users can experience system infections, severe privacy issues, significant financial losses, and even identity theft. Should it be impossible to close a scam webpage - the Windows Task Manager must be used to end the browser's process.

Additionally, upon the browser's reopening, it is important not to restore the previous browsing session - as that will also reopen the deceptive website.

As mentioned in the introduction, scam sites can be force-opened by PUAs infiltrated into the system. These applications can have different heinous functionalities, and these functions can be in varied combinations. Adware-type PUAs run intrusive advertisement campaigns.

The delivered ads promote untrustworthy/malicious websites and stealthily download/install software - when they are clicked on. Another type of PUA called browser hijacker - modifies browser settings and restricts/denies access to them in order to promote fake search engines.

The promoted web searchers are usually cannot provide search results, so they redirect to Google, Bing, Yahoo, and other legitimate search engines. What is more, most PUAs have data tracking abilities.

They monitor browsing activity (browsing and search engine histories) and collect sensitive information extracted from it (IP addresses, geolocations, and personally identifiable details). The collected data is then monetized by being sold to third-parties.

Therefore, to protect device and user safety, it is crucial to remove all suspicious applications and browser extensions/plug-ins immediately upon detection.

Threat Summary:

Name	Firewall Spyware Alert tech support scam
Threat Type	Phishing, Scam, Social Engineering, Fraud
Fake Claim	Scam claims users devices have been infected and blocked.
Disguise	Alert from Microsoft
Tech Support Scammer Phone Number	+1-585-205-7786 and +1-888-308-5768
Related Domains	badlyf[.]xyz
Detection Names (badlyf[.]xyz)	Fortinet (Phishing), Google Safebrowsing (Phishing), Kaspersky (Malware), SCUMWARE.org (Malware), Trustwave (Malicious), Full List Of Detections (VirusTotal)
Serving IP Address (badlyf[.]xyz)	157.230.233.245
Symptoms	Fake error messages, fake system warnings, pop-up errors, hoax computer scan.
Distribution methods	Compromised websites, rogue online pop-up ads, potentially unwanted applications.
Damage	Loss of sensitive private information, monetary loss, identity theft, possible malware infections.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available.

"McAfee Tollfree", "Code #007d3Cx0d", "Error Code: #0x564897", "Microsoft Security Essentials Alert", and "Suspicious Movement Distinguished On You IP" are some examples of tech support scams. The Internet is rife with misleading, deceptive, and malicious content.

Popular scam models are: warnings that the system is infected or at risk, alerts that an essential piece of software is outdated or missing, ludicrous offers and deals, fake prize giveaways and raffles, etc.

Regardless of what the schemes offer, promise, request, or demand, the end-goal is the same - to generate revenue for the scammers/ cyber criminals behind them. Due to how prevalent online scams are, it is strongly advised to exercise caution when browsing.

How did potentially unwanted applications install on my computer?

PUAs are distributed through download/installation setups of other programs. This false marketing method of packing regular software with unwanted or malicious additions - is called "bundling".

Rushed download/installation processes (e.g., ignored terms, skipped steps and sections, etc.) increase the risk of inadvertently allowing bundled content into the system. Intrusive advertisements are used to spread PUAs as well.

Once clicked on, the ads can execute scripts to download/install these applications without user consent. PUAs may also have "official" promotional/download webpages.

How to avoid installation of potentially unwanted applications?

It is recommended to research software prior to download/installation and/or purchase. Additionally, all downloads must be performed from official and verified sources.

Untrustworthy download channels, e.g., unofficial and free file-hosting websites, Peer-to-Peer sharing networks, and other third-party downloaders - commonly offer harmful and bundled content.

When downloading/installing, it is important to read terms, study possible options, use the "Custom/Advanced" settings and opt-out from additional apps, tools, features, etc. Intrusive advertisements appear legitimate and innocuous; however, they redirect to various unreliable and questionable sites (e.g., gambling, pornography, adult-dating, and so on).

In case of encounters with ads and/or redirects of this kind, the system must be inspected and all dubious applications and browser extensions/plug-in detected - removed from it without delay.

If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate them.

Text presented in the "Firewall Spyware Alert" scam:

Main pop-up:

 

Windows_Firewall_protection
Microsoft
Firewall Alert - Error Code: #0x268d3(x7)
Access to this PC has been blocked for security reasons.
Contact Windows Support: +1-585-205-7786
Threat_Detected - Trojan Spyware
App: Ads.financetrack(1).exe
[Quick Support] [Go Back Safety]

 

-------------------------

 

Background pop-ups:

 

1:

 

Microsoft-Windows-Defender-Alert : Call +1-585-205-7786     (USA-Toll-Free)
You Are Protected
Protection Updates: Current
Last Scan: Not available | Quick Scan
Licenses Used: 1 of 5 | Install on Another Device
Security Identity Performance Firewall
Disabled At Risk Optimized Turned Off

 

STATUS : Your PC is at Risk!

 

2:

 

Quick Scan
Done
Working
Scanning commonly infected areas and startup files...
C:Program FilesWindows_DefenderMSASCuiL.exe

 

Results Summary
[+] Total items scanned:
[+] Total security risks detected:
[+] Total security risks resolved:
Total security risks requiring attention:
Microsoft [Pause][Stop]

 

3:

 

Windows_Defender - Security Warning
** ACCESS TO THIS PC HAS BEEN BLOCKED FOR SECURITY REASONS **
Your computer has alerted us that it has been infected with a Trojan Spyware. The following data has been compromised.
> Email Credentials
> Banking Passwords
> Facebook Login
> Pictures & Documents
Windows_Defender Scan has found potentially unwanted Adware on this device that can steal your passwords, online identity, financial information, personal files, pictures or documents.
You must contact us immediately so that our engineers can walk you through the removal process over the phone.
Call Microsoft Support immediately to report this threat, prevent identity theft and unlock access to this device.
Closing this window will put your personal information at risk and lead to a suspension of your Windows Registration.
Call Microsoft Support: +1-585-205-7786     (USA-Toll-Free)
[Cancel] [OK]

The appearance of "Firewall Spyware Alert" pop-up scam (GIF):

Screenshot of the "Firewall Spyware Alert" scam's alternative variant:

Text presented in this variant's main pop-up window:

Firewall-Protection-Alert !!

 

Microsoft

 

Firewall-Spyware-Alert - Error Code: #x00082dfo09d
Access to this PC has been blocked for security reasons.
Firewall Helpline: +1-888-308-5768

 

Threat-Detected - Firewall-Spyware
App: Ads.financetrack(1).exe
[Quick Support]

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available.

Quick menu:

• What is "Firewall Spyware Alert"?
• STEP 1. Uninstall deceptive applications using Control Panel.
• STEP 2. Remove rogue extensions from Google Chrome.
• STEP 3. Remove potentially unwanted plug-ins from Mozilla Firefox.
• STEP 4. Remove rogue extensions from Safari.
• STEP 5. Remove rogue plug-ins from Microsoft Edge.
• STEP 6. Remove adware from Internet Explorer.

Removal of potentially unwanted applications:

Windows 7 users:

Click Start (Windows Logo at the bottom left corner of your desktop), choose Control Panel. Locate Programs and click Uninstall a program.

Windows XP users:

Click Start, choose Settings and click Control Panel. Locate and click Add or Remove Programs.

Windows 10 and Windows 8 users:

Right-click in the lower left corner of the screen, in the Quick Access Menu select Control Panel. In the opened window choose Programs and Features.

Mac OSX users:

Click Finder, in the opened screen select Applications. Drag the app from the Applications folder to the Trash (located in your Dock), then right click the Trash icon and select Empty Trash.

In the uninstall programs window, look for any suspicious/recently-installed applications, select these entries and click "Uninstall" or "Remove".

After uninstalling the potentially unwanted application, scan your computer for any remaining unwanted components or possible malware infections. To scan your computer, use recommended malware removal software.

Remove rogue extensions from Internet browsers:

Video showing how to remove potentially unwanted browser add-ons:

Remove malicious extensions from Google Chrome:

Click the Chrome menu icon  (at the top right corner of Google Chrome), select "More tools" and click "Extensions". Locate all recently-installed suspicious browser add-ons and remove them.

Optional method:

If you continue to have problems with removal of the firewall spyware alert tech support scam, reset your Google Chrome browser settings. Click the Chrome menu icon  (at the top right corner of Google Chrome) and select Settings. Scroll down to the bottom of the screen. Click the Advanced… link.

After scrolling to the bottom of the screen, click the Reset (Restore settings to their original defaults) button.

In the opened window, confirm that you wish to reset Google Chrome settings to default by clicking the Reset button.

Remove malicious plugins from Mozilla Firefox:

Click the Firefox menu (at the top right corner of the main window), select "Add-ons". Click on "Extensions", in the opened window remove all recently-installed suspicious browser plug-ins.

Optional method:

Computer users who have problems with firewall spyware alert tech support scam removal can reset their Mozilla Firefox settings.

Open Mozilla Firefox, at the top right corner of the main window, click the Firefox menu, in the opened menu, click Help.

Select Troubleshooting Information.

In the opened window, click the Refresh Firefox button.

In the opened window, confirm that you wish to reset Mozilla Firefox settings to default by clicking the Refresh Firefox button.

Remove malicious extensions from Safari:

Make sure your Safari browser is active, click Safari menu, and select Preferences....

In the opened window click Extensions, locate any recently installed suspicious extension, select it and click Uninstall.

Optional method:

Make sure your Safari browser is active and click on Safari menu. From the drop down menu select Clear History and Website Data...

In the opened window select all history and click the Clear History button.

Remove malicious extensions from Microsoft Edge:

Click the Edge menu icon  (at the upper-right corner of Microsoft Edge), select "Extensions". Locate all recently-installed suspicious browser add-ons and click "Remove" below their names.

Optional method:

If you continue to have problems with removal of the firewall spyware alert tech support scam, reset your Microsoft Edge browser settings. Click the Edge menu icon  (at the top right corner of Microsoft Edge) and select Settings.

In the opened settings menu select Reset settings.

Select Restore settings to their default values. In the opened window, confirm that you wish to reset Microsoft Edge settings to default by clicking the Reset button.

• If this did not help, follow these alternative instructions explaining how to reset the Microsoft Edge browser.

Remove malicious add-ons from Internet Explorer:

Click the "gear" icon (at the top right corner of Internet Explorer), select "Manage Add-ons". Look for any recently-installed suspicious browser extensions, select these entries and click "Remove".

Optional method:

If you continue to have problems with removal of the firewall spyware alert tech support scam, reset your Internet Explorer settings to default.

Windows XP users: Click Start, click Run, in the opened window type inetcpl.cpl In the opened window click the Advanced tab, then click Reset.

Windows Vista and Windows 7 users: Click the Windows logo, in the start search box type inetcpl.cpl and click enter. In the opened window click the Advanced tab, then click Reset.

Windows 8 users: Open Internet Explorer and click the gear icon. Select Internet Options.

In the opened window, select the Advanced tab.

Click the Reset button.

Confirm that you wish to reset Internet Explorer settings to default by clicking the Reset button.

Summary:

Commonly, adware or potentially unwanted applications infiltrate Internet browsers through free software downloads. Note that the safest source for downloading free software is via developers' websites only. To avoid installation of adware, be very attentive when downloading and installing free software. When installing previously-downloaded free programs, choose the custom or advanced installation options – this step will reveal any potentially unwanted applications listed for installation together with your chosen free program.

Removal assistance:
If you are experiencing problems while trying to remove firewall spyware alert tech support scam from your computer, please ask for assistance in our malware support forum.

Post a comment:
If you have additional information on firewall spyware alert tech support scam or it's removal please share your knowledge in the comments section below.

Click to post a comment