Phishing Attempt? Fake Brave Homepage?

Hello all,

have been using Brave for a while now and been happy overall. Yesterday night, though, something very suspicious happened. Events in order:

/edit: just remembered another detail: before crashing, I got a pop up that said roughly “can’t run this program” or something along those lines from Brave - don’t remember exactly but that was roughly the gist of it.

  • Brave crashed
  • on restarting it, it asked me to create a user account, optionally with a password.
  • it had lost all open pages, locked me out of my BAT wallet and instead showed a page that seemed to be a brave.com info page but instead led me to “bravebrowsers .com” (no spaces)
  • old brave install was visible in win 10 apps list for a second (I could see what looked like two brave icons, I think) but vanished after half a second and didn’t show any more, just a new one supposedly installed on March 5th (would un-/reinstall but I’m, hopefully understandably, skeptical about allowing an uninstaller to run that I suspect to be part of phishing-ware).
  • virus scanners show all clear

Is this a known issue?
Is bravebrowsers a legit site?
What could have caused this?
What should I do to make sure nothing untoward has happened to my computer?

Thanks a lot!

/edit: added remembered detail

2 Likes

https://www.hybrid-analysis.com/sample/05dcb636a52190489f9d2e123fff8c17ae027f502603d3f15e570a170af280ea

Took the liberty of downloading this sample and running it thru Hybrid Analysis. Seems extremely malicious. Probably a new 0-day. Interestingly enough it seems to have spoofed certificates as well. FROM Brave.

2 Likes

Oh sh…, thanks for letting me know! Is there anything I can do/how should I react to this as it seems to be dodging current malware bytes/avast? how dangerous is the whole thing for the rest of my system?

1 Like

Did you install the fake Brave?

Didn’t download anything from that site - but the strange behavior of brave (the weird break message, the lost pages and wallet access on relaunch, the question to create a user profile and in particular the first page shown that auto-linked me to the fake site) make me suspect the damn whatever it is might have autoinstalled through the auto-updates function. Is that possible? What can I do to figure out if my machine is contaminated?

1 Like

Try scanning with HitmanPro

If nothing comes up and your still worried, send another message, and I have some extra tools for virus mitigation.

1 Like

Also remembered some more details:
When I reopened Brave after the crash, it didn’t show up at first and after a little bit, it became slow (don’t remeber the exact order) and I decided to kill it in task manager - which didn’t work, as any brave process I killed respawned (similar to what an anti-virus does). That only stopped when I deactivated my wifi and thereby the internet connection - at that point i could easily kill the process and it didn’t respawn.

1 Like

Thank you for your help, will try that!

Uhm, is it normal that the hitman link is the same as the one you posted the first time?

1 Like

Uhh did I post it? I’m a bit overtired. My bad.

Uh, well, the hitman pro text in your last post is URL tagged and leads to the scan at hybrid analysis - I assume that’s a c/p error? Hitman pro you’re suggesting is this one, right: https://www.hitmanpro.com/en-us/hmp.aspx?

1 Like

You got it. That’s the correct link.

Scan found only tracking cookies…
However, after I started installing HitmanPro, an unresponsive script warning is being shown by Firefox, telling me the script chrome//global/content/customElements.js:615 isn’t working any more. Given that neither Brave nor Chrome should even be running (and don’t turn up in the task manager) that also seems suspicious… so if you have any other suggestions I’d be more than happy!

/edit: actually, it found one file that supposedly doesn’t exist and might cause errors on start up (C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCsysTray8.exe ). Hitman deleted the cookies, not sure what it did to that file (if anything).

1 Like

Comodo Killswitch, definitely, can be found here

1 Like

/Edit: stopped being stupid and found a 64-bit version on cnet - all processes kill switch shows are either trusted or unknown/Error (Not Found). What does that mean? What do I do next?

All the unknown or error processes:
unknown:
YourPhoneServer.exe
Avast UI (and other avast antivirus stuff, with AvastSvc.exe not actually showing the avast logo)
SkypeBridge.exe
SkypeApp.exe
Microsoft.Photos.exe
YourPhone.exe
/edit:found another one I missed before: wsc_proxy.exe

Error (not found)
System idle process - System - Memory Compression
Registry

the website you mention seems to share the same whois information and redirects to the official brave.com website.

https://whois.domaintools.com/brave.com

https://whois.domaintools.com/bravebrowser.com

I still have the sample from the ‘virus’ version of the one that came from the fake website. I usually keep all my malware samples backed up so I ca tinker with them in my freetime.

What probably happened was a DCMA from Brave’s team themselves. Someone from the Brave Dev team care to comment? @steeven @Asad

-AASB

1 Like

@wackydude1234 the OP is linked to bravebrowsers with “s”.

IIRC the team is already aware of this site.

2 Likes

ah my bad i misread.

Wow, somehow I missed that. I am the definition of a nunce today. Anyways, it appears that their little site is build on wordpress…see below.

Hey @MonGC, thanks for reporting this. This is super weird.

You say you didn’t install from bravebrowsers.com at ALL, correct?

I can’t see how the auto-updater would do this but I will run it past the team.