A fraudulent website mimicking Avast’s branding is targeting French-speaking users, tricking them into submitting their full credit card details under the false pretense of receiving a €499.99 refund. The operation employs live chat support, a dynamically updated transaction date, and a convincing visual replica of the Avast interface to harvest payment data.
The phishing page presents a warning that cancellation requests must be filed within 72 hours, even as simultaneously stating that transactions older than 48 hours “can no longer be cancelled.” This contradiction is designed to create a sense of urgency. A fabricated transaction record displays a debit of -€499.99, with the date automatically updating to the current day when a user accesses the page. According to Avast support documentation published November 18, 2025, users are sometimes notified of failed subscription renewals, creating a plausible scenario for this type of scam.
The site requests a reason for the refund, along with personal information including name, address, email, and phone number, framed as standard identity verification. Upon submission, a modal dialogue appears requesting the victim’s credit card number, expiry date, and CVV code. The page incorporates Luhn algorithm validation to ensure only structurally valid card numbers are accepted, increasing the likelihood of successful data capture.
Once the information is submitted, the data is sent to a file named “send.php” as a JSON object, containing all the collected details. Victims are then redirected to a confirmation page stating, “Your application is being processed — Thank you for your inquiry,” followed by a button labeled “Uninstalling Avast,” further attempting to remove any security measures that might detect the fraud.
A key feature of this campaign is the integration of a live chat widget provided by Tawk.to, identified by account 689773de2f0f7c192611b3bf and widget code 1j27pp82q. This allows the operators of the phishing site to engage with visitors in real-time, offering reassurance and overcoming any hesitation they might have before entering their payment information.
The scam is designed to target multiple types of visitors, including existing Avast customers, individuals who may have forgotten they have an Avast account, those who have never used Avast but believe their card details have been compromised, and even those attempting to fraudulently claim a refund they are not entitled to. The page does not differentiate between these profiles, relying on the urgency of the perceived charge to elicit a response.
Avast provides guidance on identifying legitimate charges on billing statements, noting that purchases processed through Gen eCommerce may appear with prefixes like ADP, ADAP, NP, or AP, and associated entities such as Gen Digital INC or Norton Ireland Limited. Still, this information does not directly address the tactics used in this phishing operation.
Security experts recommend several steps to avoid falling victim to refund scams. These include being wary of unrecognized charges appearing with the current date, urgent cancellation windows, requests for full credit card details, the absence of account verification, live chat pushing for completion, and instructions to uninstall security software. Malwarebytes offers a Scam Guard feature to help users identify and report suspicious activity.
If you believe you have entered your details on this fraudulent website, security professionals advise immediately contacting your bank or card issuer to cancel your card, disputing any unauthorized charges, and changing passwords for any accounts linked to the email address provided.
