We’ve Been Falling for This Trick for Over a Decade — and Hackers Know It

There’s a particular kind of audacity in impersonating a cybersecurity company to deliver malware. It’s the digital equivalent of a wolf dressing as a sheepdog. And yet, a recently uncovered campaign did exactly that — a fake Avast website lured unsuspecting users with a bogus virus scan, only to drop a nasty payload called Venom Stealer onto their machines.

If your first reaction was surprise, I’d challenge you to reconsider. You shouldn’t be surprised. Not even a little. Because this attack playbook is older than most people’s smartphones.

This Isn’t New — It’s a Greatest Hit

Malicious websites impersonating legitimate security software have been a staple of the cybercriminal toolkit since at least 2008–2010, when rogue antivirus software — sometimes called “scareware” — exploded onto the scene.

Back then, fake security tools like “Antivirus 2009” and “Windows Police Pro” terrorized millions of users by mimicking real scanners, displaying alarming (and completely fabricated) infection warnings, and demanding payment to “clean” the non-existent threats. The FBI estimated that scareware operators made over $150 million from victims in that era alone.

Fast forward fifteen-plus years, and the mechanics are virtually identical. The only thing that’s changed is the payload — and the branding being stolen.

The Venom Stealer Incident Is a Textbook Case

The fake Avast campaign is a masterclass in social engineering that exploits one fundamental human vulnerability: we trust brands we recognize.

Avast is a household name in cybersecurity. When someone lands on what appears to be Avast’s official site and sees a virus scan running in real-time, their guard drops. That’s precisely the moment Venom Stealer slips in — a malware strain designed to harvest browser credentials, cryptocurrency wallets, session cookies, and sensitive personal data.

What makes this particularly insidious is the irony. The user believes they’re protecting themselves. They’re actively seeking security. And that moment of vigilance is weaponized against them.

This isn’t a sophisticated zero-day exploit requiring nation-state resources. It’s a well-designed webpage and a convincing UI. The barrier to entry for this type of attack has never been lower — and the returns have never been higher.

Why Has Nothing Changed After 10+ Years?

This is the question that genuinely frustrates me — and should frustrate every security professional reading this.

We’ve had more than a decade of public awareness campaigns, browser warnings, phishing simulations, and corporate training programs. And yet, fake security software attacks remain stubbornly effective. Why?

Three reasons:

First, the talent pool of potential victims keeps refreshing. Every year, millions of new internet users come online with little to no security literacy. Attackers don’t need to evolve their tactics when there’s always a new audience to exploit.

Second, the trust signals we’ve built are easy to fake. A convincing logo, a cloned UI, and a spoofed domain are all it takes. Browser padlocks (HTTPS) — once thought to signal safety — are now used by the majority of phishing sites, according to research from the Anti-Phishing Working Group (APWG).

Third, the industry has focused on detection over prevention. We keep building better tools to catch malware after it lands. We haven’t done nearly enough to stop users from inviting it in themselves.

What Actually Needs to Change

I’ll be direct: end-user awareness alone will never solve this problem. We’ve been saying “think before you click” for fifteen years. It hasn’t worked well enough.

What we need is a structural shift. Browser vendors, domain registrars, and DNS providers need to collaborate more aggressively to identify and kill fraudulent sites before they accumulate victims. Google’s Safe Browsing and Microsoft’s SmartScreen are steps in the right direction — but they’re reactive systems, not proactive ones.

Security vendors whose brands are being impersonated — Avast included — need to invest heavily in brand protection intelligence, actively monitoring for lookalike domains and fake UI clones the moment they appear, not days or weeks later.

And organizations need to stop treating cybersecurity awareness training as an annual checkbox. Threat simulations should be continuous, contextual, and tied to real-world campaigns like this one.

The Bottom Line

The fake Avast/Venom Stealer attack isn’t remarkable because it’s clever. It’s remarkable because it doesn’t need to be. Criminals have been running this same playbook since before Instagram existed — and it keeps working.

The cybersecurity industry owes the public more than better malware detection. We owe them fewer opportunities to be deceived in the first place.

If you’re a security leader, ask yourself honestly: what are you doing today that would have actually stopped this attack? If the answer is “not much,” it’s time to rethink your strategy.