Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 46/2025

Black Friday – a tempting but risky jungle of special offers

The late-November Black Friday campaigns have become firmly established in Finland. The week of deals encourages consumers to click the “buy now” button, but it also creates an ideal moment for online fraudsters. The “unbelievable offers” appearing in emails and on social media may lead to phishing sites or fake online shops where payment details end up in the hands of criminals.

Cybercriminals exploit urgency and emotionally charged messages. Headlines such as “today only –70%” or “last chance” can prompt readers to click criminal links without critical reflection. This is particularly risky when shopping on mobile devices, where it can be difficult to assess the authenticity of a site and easy to miss a misleading link.

Safe Black Friday shopping starts with a critical and patient mindset. Always check the online shop’s address and ensure the payment page is secure (https). Avoid clicking direct links from adverts and use only the retailer’s official website to make purchases. Two-factor authentication and up-to-date security software also provide additional protection.
Black Friday can be an excellent time to make purchases, but real savings are only made if you take care of your cybersecurity and shop with caution.
 

Malware can be activated unnoticed using the ClickFix technique – learn about the phenomenon and protect yourself

ClickFix is a rapidly growing attack technique in which the user is tricked into executing malware on their own device. The attack relies on familiar interaction patterns such as CAPTCHA checks and “Fix it” buttons. The user is guided to click a seemingly harmless link or to copy and run a command in the Windows Run dialogue or a PowerShell window, which then activates the malicious code.

ClickFix is used to distribute, among other things, information-stealing malware and ransomware. The technique is used by both criminal groups and state actors, and its effectiveness is based on the victim’s own actions: the user believes they are solving a small technical issue but ends up bypassing security mechanisms themselves.

The attacks spread through phishing messages, malicious adverts and compromised websites. Detection is difficult, as the links and buttons often look entirely normal.

Protection relies on caution and technical restrictions. Users should avoid instructions on websites that ask them to open Run or PowerShell windows or to paste text into them. Organisations can restrict the use of these features, enable PowerShell logging and monitor clipboard activity.

If you encounter a suspicious page or message, report your observation to the NCSC-FI.

Sign up for the Critical Code webinar on software development management

Software security concerns all of us. It is not only a matter of technology, but also of society’s trust and security of supply.

There is still time to register for the Critical Code webinar on software development management on Tuesday 18 November, 9.00–10.30.

Finland has also experienced what happens when security fails – the consequences can range from the leakage of private data to disruptions in services critical to society.

Take part in the webinar to learn why software security is a management issue, hear about the most common threats and related case examples, and find out what business leaders can do in practice to improve software security.

October’s Cyber Weather report published

October continued the cloudy and chilly autumn season also in terms of cybersecurity. The overall situation nevertheless calmed slightly compared to September. During the past month, several significant data breaches were reported internationally. In Finland, an unusually high number of Microsoft 365 account breaches were also detected during October.

Weekly malware review: M0yv

M0yv is a modular virus targeting Windows environments. After a successful initial infection, it continues to spread by infecting other executable files both on the system and across the network. When executed, the malware connects to the attacker’s server, allowing commands to be run on the target system and additional malware to be downloaded.

Because M0yv spreads primarily by infecting other files, infections typically occur when an infected file is shared and executed — for example via an external storage device or over a network. As M0yv can infect numerous files on compromised devices, reinstalling the operating system is often difficult to avoid in order to fully remove the malware. M0yv also spreads across networks, which means other computers on the same network may be at risk.

How to protect yourself from M0yv-type threats:

• Keep systems and software up to date.
• Use protected backups and test restorations regularly.
• Limit internal system permissions to the minimum necessary level.
• Do not open suspicious or unknown email attachments or links.
• Block unnecessary outbound connections and monitor unusual network traffic.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.