A fraudulent website dressed in Avast’s brand is tricking French-speaking users into handing over their full credit card details—card number, expiry date, and three-digit security code—under the cover story of processing a €499.99 refund that was never owed to them.
The operation combines live chat “support,” a hardcoded alarming transaction amount, and a convincing replica of Avast’s visual identity to create urgency and harvest payment data at scale.
The phishing page opens with what appears to be a legitimate Avast web portal. The Avast logo is loaded directly from Avast’s own content delivery network—a deliberate touch that ensures the orange-and-white shield renders perfectly and passes a casual visual check. The page header offers links to “Home,” “My Account,” and “Help,” all styled to match Avast’s real interface.
Below the header, a warning box in Avast’s signature orange catches the eye: cancellation requests must be filed within 72 hours, it says. Then, in the same breath, warns that transactions older than 48 hours “can no longer be cancelled.” The internal contradiction is easy to miss when your attention is fixed on the larger claim just below it.
That claim is a transaction record showing today’s date and a debit of -€499.99. The date is not hardcoded. A single line of JavaScript reads the visitor’s local system clock and writes the current date into the page at load time. Whenever a victim arrives, whether on a Tuesday in February or a Friday in August, the charge appears to have happened that very morning.
The amount, however, is fixed. Every visitor sees exactly -€499.99, a sum carefully chosen to be large enough to provoke immediate action but not so large as to strain credibility for a software subscription.
There is no real transaction. No Avast account has been accessed. The number exists solely to make the visitor feel robbed.
The cancellation form below asks for a reason for the refund (a dropdown offers “Avast refund,” “Fraudulent transaction,” “Duplicate transaction,” and “Other”), followed by a full set of personal information: first name, last name, email address, phone number, street address, city, region, and postal code. Filling in this section is framed as routine identity verification—necessary, the page implies, before any refund can be processed.
Once the form is submitted, a modal dialogue appears titled “Card Information.” The page asks for the victim’s credit card number, expiry date, and CVV security code, supposedly so the refund can be credited back to the original payment method.
This is the moment the operation has been building toward.
The page even implements Luhn algorithm validation (the mathematical check banks use to verify card numbers) so test numbers or accidental typos are rejected before submission. Only structurally valid card numbers are accepted.
When the Confirm button is clicked, the browser sends a POST request to send.php; a backend file that receives the entire payload as a JSON object. That payload contains every field the victim filled in: name, address, contact details, card number, expiry, and CVV.
After the data is dispatched, the victim is redirected to a confirmation page that reads: “Your application is being processed — Thank you for your inquiry.”
Below that reassuring message sits a button labeled “Uninstalling Avast”. A final social engineering nudge encouraging the victim to remove the very security software that might otherwise alert them to what has just happened.
What sets this campaign apart from many phishing pages is the presence of a real-time live chat widget embedded in the bottom-right corner of the screen. This means someone (almost certainly the operators of the phishing site) can see when a visitor is on the page and engage them in live conversation. The tactical value is significant. A confused visitor who notices the timing mismatch (“72 hours” vs “48 hours”), or who hesitates before entering card details, can be nudged forward by a “support agent” offering reassurance in real time. It transforms a static phishing page into an interactive fraud operation.
How to tell if a refund page is a scam
- Refund scams like this are not limited to Avast. Any brand can be impersonated. Here are the warning signs to watch for:
- A charge you don’t recognize that appears “today”: Scammers often insert the current date automatically to make the transaction feel urgent and real.
- Urgent cancellation windows: Messages claiming you have limited time to act are designed to pressure you into rushing.
- Requests for full credit card details to “process” a refund: Legitimate refunds do not require you to re-enter your full card number and CVV on a random page.
- No login, license key, or proof of purchase required: Real companies verify your account. Scam pages skip verification and go straight to payment details.
- Live chat pushing you to complete the process: Real-time reassurance from a “support agent” can be part of the scam, not proof the site is legitimate.
- Instructions to uninstall your security software: No genuine refund process will ever require you to remove your protection.
- Lookalike domains: Slightly altered website names are a major red flag. Always type the official company website directly into your browser instead of clicking links.
Refund scam impersonates Avast to harvest credit card details
A convincing fake Avast site displays a €499.99 charge and promises a refund. Instead, it harvests your name, address, and full credit card details.www.malwarebytes.com
Last edited:
....Nice link edit 
