How to spot scams like "Hackers are watching you!"

What kind of scam is "Hackers are watching you!"?

There are many deceptive websites using scare tactics to trick unsuspecting visitors into downloading and installing potentially unwanted applications (PUAs). Usually, the websites display fake virus notifications claiming that the device is infected with a number of viruses and urge users to remove them immediately.

These pages may show different notifications, however, none are genuine. Note that these rogue web pages are often promoted through deceptive advertisements, dubious websites, and PUAs. I.e., users do not often visit them intentionally.

More about the "Hackers are watching you!" scam

This deceptive website is designed to look like an Apple security page - it displays a fake notification stating that the iPhone's internet connection has been hacked and someone is spying on the user.

Moreover, it states that, unless the user fixes this problem within two minutes, the hacker will reveal his/her identity and send the browsing history and all photos taken with the front camera to all contacts.

In order to protect the connection (stop the hacker from spying on the user), this page urges the visitor to tap the "Protect your connection" button and install the offered app.

Note that these deceptive websites can be used to advertise legitimate applications that are available on App Store, however, deceptive pages cannot be trusted, even when they promote legitimate apps.

More about apps promoting such scams

As mentioned, users do not generally visit pages that use scare tactics to promote apps - browsers open them due to installed unwanted apps. These applications often promote deceptive pages and gather IP addresses, websites of visited pages, entered search queries, geolocations, etc., or even personal information

Developers monetize the data in various ways. For example, by selling it to third parties (potentially cyber criminals). Also, such apps can be designed to generate advertisements such as coupons, banners, surveys, pop-ups, and others. Typically, these are used to promote untrusted websites or distribute (download and install) unwanted applications.

Threat Summary:

Name	Hackers are watching you! pop-up
Threat Type	Phishing, Scam, Mac malware, Mac virus
Fake Claim	Internet connection has been hacked/someone is tracking a device
Related Domain	securitycheck[.]network, free-vpn[.]store
Serving IP Address (securitycheck[.]network)	104.21.28.144
Symptoms	Your Mac becomes slower than normal, you see unwanted pop-up ads, you are redirected to dubious websites.
Distribution methods	Deceptive pop-up ads, free software installers (bundling), fake Flash Player installers, torrent file downloads.
Damage	Internet browser tracking (potential privacy issues), display of unwanted ads, redirects to dubious websites, loss of private information.
Malware Removal (Mac)	To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner for Mac To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Similar scams in general

More examples of deceptive websites using scare tactics to trick visitors into downloading and installing some application are phone-security[.]me, protect-connection[.]com and support-notify[.]space.

Main differences between these pages are the number or viruses they claim to have detected on a device and the app they urge visitors to download and install. In any case, fake virus alerts can be safely ignored. Note that these pages mostly promote VPN clients, however, they may also be used to promote adware, browser hijackers, and other unwanted apps.

How did unwanted applications install on my computer?

Unwanted downloads and installations often occur when developers distribute unwanted apps by integrating them into the download/installation setups of other programs as "extra offers". This distribution method is known as "bundling". The offers can be declined in "Custom", "Advanced" and other similar settings of the setups (or by unticking certain checkboxes).

Many users fail to check and change these settings (or untick the checkboxes), thereby allowing such apps to infiltrate together with the desired software.

PUAs are also downloaded and installed by clicking deceptive advertisements (usually on untrusted sites) that execute certain scripts.

How to avoid installation of potentially unwanted applications

Download software and files from official websites and via direct links. It is not safe to use torrent clients, eMule (or other Peer-to-Peer networks), third party downloaders, unofficial websites or other sources of this kind. For Apps, use App store.

Avoid third party installers. Check "Advanced", "Custom" and other settings, and decline offers to download or install unwanted software. Do not click ads that are displayed on dubious websites, since they can open other untrusted websites or even cause unwanted downloads and installations.

Remove any unwanted, suspicious applications (extensions, add-ons, and plug-ins) that are installed on the browser. The same should be applied to programs of this kind that are installed on the operating system. Regularly scan your computer with reputable antivirus or anti-spyware software and keep this software up to date.

If your computer is already infected with unwanted apps, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Text in the fake virus message:

Apple security

Hackers are watching you!

Your iPhone connection has been hacked and someone is watching on you! Please do not close this page. If you don't fix this in two minutes, the hacker will reveal your identity and send your browsing history and front-facing camera photos to everyone in your contacts!

Recovery method:

Step 1: Click the "Connection Protection" button below.

Step 2: You will be redirected to the App Store.

Step 3: Install and run the recommended protection app to recover your iPhone.

Protect your connection

To enable pop-up blocking, fraudulent website warnings, and remove web browsing data in mobile Apple devices, follow these steps:

First, go to "Settings", and then scroll down to find and tap "Safari".

Check if the "Block Pop-ups" and "Fraudulent Website Warning" toggles are enabled. If not, enable them immediately. Then, scroll down and tap "Advanced".

Tap "Website Data" and then "Remove All Website Data".

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

• What is Hackers are watching you! scam?
• STEP 1. Remove PUA related files and folders from OSX.
• STEP 2. Remove rogue extensions from Safari.
• STEP 3. Remove rogue add-ons from Google Chrome.
• STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX", "NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Check for adware generated files in the /Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: /Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the ~/Library/Application Support/ folder:

In the Go to Folder... bar, type: ~/Library/Application Support/

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Check for adware generated files in the ~/Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the /Library/LaunchDaemons/ folder:

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Remove malicious Safari extensions:

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Remove malicious extensions from Google Chrome:

Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Remove malicious extensions from Mozilla Firefox:

Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

What is a pop-up scam?

It is a fake/deceptive message designed to trick website visitors into performing certain actions. Usually, such scams use scare tactics - they claim that a computer (or another device) is infected, damaged, etc.

What is the purpose of a pop-up scam?

Most of these scams are used to get money for unnecessary software (or services), extract sensitive information, promote shady (potentially malicious) software, etc.

Why do I encounter fake pop-ups?

As a rule, fake pop-ups (deceptive error, virus, or similar notifications) are delivered by malicious websites. It is very uncommon for such pages to be visited intentionally. Usually, such pages get opened by present malicious applications or other pages that use questionable advertising networks.

Will Combo Cleaner protect me from pop-up scams?

Combo Cleaner can scan and detect untrustworthy websites (including websites that display fake pop-ups). Thus, it will warn you about shady websites and restrict access to them.

▼ Show Discussion