Phishing attempted when searching in password manager

SeanClarke · April 12, 2024, 4:34pm

Description of the issue:

When I go into the brave settings → password manager and search my firewall (AVG) blocks a network request to yourbonuses. top (spaced on purpose so nobody clicks it).

Is my browser infected with Malware since this is the only way it seems to trigger.

If you come across this and want to see a video of this happening I have one I just can’t attach to this ticket.

How can this issue be reproduced?

Open Brave Settings
Password manager
Search (top right)

Expected result:

for no blocked request

Brave Version( check About Brave):

Version 1.64.122 Chromium: 123.0.6312.122 (Official Build) (64-bit)

Additional Information:

Have done a deep scan to find nothing from AVG

MalwareBytes found the below:

Malwarebytes

-Log Details-
Scan Date: 4/12/2024
Scan Time: 5:28 PM
Log File: a8b0aca4-f8e9-11ee-8adf-d85ed3e6ad3e.json

-Software Information-
Version: 5.1.2.109
Components Version: 1.0.1214
Update Package Version: 1.0.83359
License: Trial

-System Information-
OS: Windows 11 (Build 22631.3447)
CPU: x64
File System: NTFS

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 245027
Threats Detected: 15
Threats Quarantined: 0
Time Elapsed: 2 min, 0 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
Adware.Elex.ShrtCln, C:\USERS\CLARK\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 5874, 454721, 1.0.83359, , ame, , ,
Adware.Elex.ShrtCln, C:\USERS\CLARK\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 5874, 454721, 1.0.83359, , ame, , ,

File: 13
Adware.Elex.ShrtCln, C:\USERS\CLARK\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 5874, 454721, 1.0.83359, , ame, , 7BC28490380E5D5613479DD93AD260A0, FB3D12F6650DF3C2203DAFB8F7A6E6FDCEE77EDA96ED9976897E6BEB54624C19
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 5874, 454721, 1.0.83359, , ame, , 9DBFBF958D51CB8FB8AB587213A015BA, 4B9CAC32019C459B8F30C43D4C7A8632BD46E34950E78E231AB4CD9F8DA21C41
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb, No Action By User, 5874, 454721, 1.0.83359, , ame, , BDB4B6D10A2299DC7E9921379D2465F4, FBAB5C6CCA49820F373018EA78910FDE0168CED366AD21E98CF0FD83B7988B72
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000011.ldb, No Action By User, 5874, 454721, 1.0.83359, , ame, , 7CA3A3019A5AE163A682D22348928CFF, D93EE3029C934C9C6F0E5BEAEC2839A54E9D74C936B7C34B7E9CCE7B2F2E46A3
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000014.ldb, No Action By User, 5874, 454721, 1.0.83359, , ame, , CE54A0B37D07399A1FF50F267B6F463C, 9AAAF3DFFB579A1734B63E47A2B8FD39D291633B57062BDAB47237BC1C3B3BE7
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000016.log, No Action By User, 5874, 454721, 1.0.83359, , ame, , 1879A2B1D38736B625CB60527318FF05, 7AC82CC77F06DEAE3B2B5A790B98A59D4DD6F16AD9DCCF08AB671F3569FA6BC0
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000017.ldb, No Action By User, 5874, 454721, 1.0.83359, , ame, , C34EA57CB5058C3ACCF5947B06F812EF, 68CF6635603946959FB581088E01461C335BBFBE6EB7015C19EFFA921A0907E5
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 5874, 454721, 1.0.83359, , ame, , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 5874, 454721, 1.0.83359, , ame, , ,
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 5874, 454721, 1.0.83359, , ame, , AC0B5D6531EDFFB19EEEB07B3B46D683, 864EAE9D514182A0C9917DAF0D04EBF0BEAB7AC1FB407F74D8E4EEDAF895FE22
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 5874, 454721, 1.0.83359, , ame, , 96EFE7E36C852E88C257CA44D95DAE96, 8E5FD3D2035FE66A85257D354CDD54E8ECC5F1A7588B8946B6B90189935170A2
Adware.Elex.ShrtCln, C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 5874, 454721, 1.0.83359, , ame, , FEC13C042C8F2B8A8BA7EF3676F19C74, 762F0D8B18D7FE605FF21353C7548B48F6CA222FF2B855E0B20531ADFF31A73A
Adware.Elex.ShrtCln, C:\USERS\CLARK\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, 5874, 454721, 1.0.83359, , ame, , 17EA1E2F21F91478C51E32E03D4A8758, BBA70A094BBA7687A147ECF12CDB534BB5C84800069C56B1F9F9E80E24099A45

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

Saoiray · April 12, 2024, 4:42pm

Your scan seems to show it is.

And then it tells you, it’s adware.

So adware is a type of malware that installs onto our devices, typically via extensions but it can do through any program or whatever. Its purpose is to gather our information and to do things like create pop-ups to advertise a website or product, which many times would be scams or contain viruses.

It makes it sound like this is something you installed on Chrome, not Brave. But hopefully you’ve cleared that out and you’re then trying to pay extra close attention to your device to see if it continues. If so, you may need to go to remove extensions and all.

SeanClarke · April 12, 2024, 5:48pm

Thanks for the reply

So i’ve just uninstalled chrome for the time being, restarted my pc, re ran malware bytes which now finds nothing. However, it was still happening so i removed all extensions from brave and it’s still being flagged by AVG.

Feel like next best is uninstall brave and reinstall it.

Any other suggestions before I do that

Hotdogs555 · April 12, 2024, 6:35pm

If you looked at the filepath, it’s not in Brave.
C:\Users\clark\AppData\Local\Google\Chrome\User Data\Default\[etc.]
So that makes this really weird. Maybe it has something to do with AVs not 100% understanding Brave’s files yet, or possibly some level of unintentional encryption is preventing it from being detected and removed from Brave’s folder(s). @Mattches seems important.

Saoiray · April 12, 2024, 6:48pm

Long story short, it’s possible it changed some setting. Whenever adware gets installed, it doesn’t just act within the location it was installed. It would be trying to send info or open websites via your default web browser, which may be why it’s occurring within Brave. If you switched a different browser to your default and tried, does it flag that browser instead or does it only flag Brave?

A lot of what you’ll have to do is think back to what you’ve installed in the last 30 days or so, starting with the most recent. Everything from torrents, extensions, software programs, etc and see if perhaps you can track it back to one of those. And as I mentioned, you may want to go look at specifics like what Brave’s home page is set for or whatever else.

Dealing with viruses, malware, adware, etc can be a big headache.

I know Hotdogs tagged in Mattches, but I’m going to try to tag in @fmarier as well since he is one of the security engineers. If he sees this and is able to respond, perhaps he and/or Matt might have some much better advice than I’ve given.

Lastly, I do want to confirm, you’re saying this only is happening when you go to search password manager? Oh, and with it being Friday afternoon, not sure if we’ll be lucky enough to see any replies today. And they tend to be off on the weekends, though might pop in randomly. Just saying this so you know might be delays. In the meanwhile, just have to go through with scans, try to narrow things down, perhaps remove cookies, etc. Big challenge is not knowing origin of issues.

And I don’t think it’s a false positive or anything. Unfortunately, I’m kind of limited here.

SeanClarke · April 13, 2024, 11:41am

Have just made the default edge and it never seems to happen or at least i can’t get it to fire in Edge - but it will still fire in brave and be logged as brave.exe

Yes this is the case - it’s never fired at any other time

system · May 13, 2024, 11:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Everytime I acess the Password Page, MalwareBytes blocks a malicious site! Desktop Support windows	3	28	January 16, 2025
Opening Password Manager triggers MalwareBytes Warning / Compromised Website Desktop Support windows	10	210	December 18, 2024
Password Manager on Windows 10 with Brave Desktop Support windows	1	272	August 18, 2023
Malwarebytes reports Brave trying to connect to a fraud site Desktop Support windows	2	1082	April 8, 2020
Malwarebytes suggest there's a trojan in my browser Desktop Support windows	1	1386	April 7, 2022
Opening Password Manager crashes browser in Win 11	8	993	January 13, 2024
Phishing detected in Windows and malicious .js on linux Desktop Support windows , linux	6	312	June 16, 2024
Virus?i think my browser has picked up a bug Browser Support windows	3	583	February 1, 2023

Phishing attempted when searching in password manager

Related topics