Windows 11 Scam Targets POS Provider

The scam allows hackers access to users' devices, where they could steal payment data and other vital information.

A cyber-security group has identified a potential phishing scam that has been hidden within fake Windows 11 documents, and appears to target one specific company, in order to steal information.

Javascript hidden in the malicious files would, the group states, allow hackers backdoor access to company systems, once opened. A deep dive of the files indicates that the intended target was a Point of Sale (POS) provider, Clearmind, and its customers.

With Windows 11 available soon, it's thought that these documents were being used to spread malware, capitalizing on the interest in Microsoft's newest operating system.

What do we Know About the Scam?

The scam was revealed by Anomali, a cyber-security firm who managed to access the files claiming to be about the Windows 11 Alpha. In reality, they harbored a dangerous Javascript which, once implemented, would allow the scammer access to sensitive data and systems.

The file is framed as a document that has been made in Windows 11, and asks the user to open it. When attempted, a message appears claiming that because the document was created in the new operating system, extra steps must be taken to open it, including enabling editing and enabling content. In following these instructions, what really happens is a macro is opened, which then allows the harmful Javascript to run.

Within the script of the harmful code are references to the Clearmind domain, a POS provider that the group have targeted before. According to Anomali, successfully infecting a user's device would allow FIN7 to access any user payment card details intended for Clearmind's payment network.

(Instructions for the fake Windows 11 document, courtesy of Anomali)

Who is Behind the Windows 11 Scam?

Anomali state that they believe with moderate ‘confidence' that the group FIN7 is responsible for the scam, as the format fits with the group's previous modus operandi.

FIN7 is a Russian criminal group that has been active for around six years, and is purportedly responsible for the theft of over 15 million payment card details, that has cost around one billion dollars in losses. In the past, members of the organization have been jailed in the US for attacks on US companies, including Fedir Hladyr in April of this year, who was identified as a high level manager within FIN7 and sentenced to 10 years for fraud and hacking.

The digital hallmarks on the Windows 11 documents line up with previous FIN7 activity, including targeting POS providers, using Javascript backdoors, and the hack terminates if it detects that the potential-victim's computer's language is Russian.

How Can I Avoid the Scam?

Besides switching your computer language to Russian, Anomali believes that the fake documents were are most likely intended to be used in phishing operations, such as via email, so standard best practice security measures can help you steer clear.

Vigilance is key when avoiding scams, and ensuring that you are only downloading files from trusted sources is highly important. Also important, is ensuring that you don't open any files sent by email or over social media unless you are confident that they are legitimate. Anti-virus software can be a huge help here, actively scanning any files to automatically isolate or remove suspicious attachments.

It's also important to keep your software up to date. Yes, we appreciate that it can be a pain to have to update apps and operating systems, especially if they demand that you shut down your device to complete the process, but these updates regularly contain the latest security updates, which could well protect your device from malware down the line.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Jack is the Deputy Editor for Tech.co. He has over 15 years experience in publishing, having covered both consumer and business technology extensively, including both in print and online. Jack has also led on investigations on topical tech issues, from privacy to price gouging. He has a strong background in research-based content, working with organisations globally, and has also been a member of government advisory committees on tech matters.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals