Fake McAfee Security Alert Campaign Impersonating Legitimate Software Brands
Analysts have identified a cluster of five connected entities involved in a scam campaign that impersonates McAfee security software to redirect consumers toward a fraudulent purchase flow. The campaign involves two phone numbers, 801-609-5814 and 836-636-0839, two domains, vxjilqhy.tee.moolls.co.uk and shop.superantispyware.com, and one email address, dojknvv@vxjilqhy.tee.moolls.co.uk. All relationships between these entities are of the reported_together type, each carrying a confidence score of 0.20, indicating that while the connections are low-confidence individually, the consistent co-reporting across 16 documented relationship pairs reinforces the likelihood of a coordinated operation.
The infrastructure relies on two distinct domains with very different profiles. The domain shop.superantispyware.com is a long-standing domain registered on February 18, 2005, through registrar MarkMonitor, Inc., a firm typically used by enterprise-level brands to protect their intellectual property. Its presence in this cluster raises a significant concern: scammers appear to be either spoofing or exploiting the SuperAntiSpyware brand name to lend credibility to a fraudulent checkout page. In contrast, the domain vxjilqhy.tee.moolls.co.uk is a clearly randomized subdomain hosted under a .co.uk extension, a common characteristic of throwaway infrastructure used to generate email addresses and host temporary scam assets. The email address dojknvv@vxjilqhy.tee.moolls.co.uk follows the same randomized naming pattern and is reported in connection with every other entity in the cluster, suggesting it serves as a contact or response address within the scam workflow.
Community reports, each receiving one upvote, consistently describe the same scenario: recipients receive a scam email impersonating McAfee that claims there is a payment issue with their account and that their identity has already been compromised. The message then directs the recipient to click a link leading to what appears to be a SuperAntiSpyware checkout page. This technique, known as brand impersonation chained with urgency-based social engineering, is designed to pressure consumers into making a fraudulent payment or surrendering financial credentials. Neither phone number, 801-609-5814 nor 836-636-0839, has accumulated FTC complaints as of this report, which may indicate the numbers are newly deployed or used sparingly to avoid detection.
Geographically, the phone number 801-609-5814 carries a 801 area code associated with the Salt Lake City, Utah region, while 836-636-0839 uses an 836 area code, which is assigned to the San Antonio, Texas area. The use of U.S.-based area codes alongside a United Kingdom-registered subdomain domain suggests a campaign designed to appear domestically credible to American consumers while routing backend infrastructure through foreign hosting. No specific regional targeting concentration can be confirmed from the available data, but the Utah and Texas area codes may indicate targeting of consumers in those regions or simply the use of spoofed local numbers to increase answer rates.
Consumers who receive emails claiming to be from McAfee about payment issues or identity compromise should treat such messages as fraudulent until independently verified. Do not click any links in unsolicited security alert emails and do not call phone numbers provided within those messages. If contacted by either 801-609-5814 or 836-636-0839, hang up immediately. To verify whether a security software charge is legitimate, navigate directly to the official vendor website by typing the URL manually in your browser rather than following any link in an email. You can check whether a domain or phone number has been flagged by searching community databases such as ScamNumbers.info or WhoCallsMe, and you can look up domain registration details at ICANN Lookup at lookup.icann.org. Report suspicious emails, phone calls, and websites to the FTC at reportfraud.ftc.gov and to the FCC at fcc.gov/consumers/guides/filing-informal-complaint.
This cluster represents a low-to-moderate threat level based on the low FTC complaint counts and low-confidence relationship scores, but the consistent community reporting of an identical scam narrative across multiple submissions suggests an active and ongoing campaign. Recommended next steps include monitoring shop.superantispyware.com for fraudulent use of the SuperAntiSpyware brand, flagging the domain vxjilqhy.tee.moolls.co.uk and the email address dojknvv@vxjilqhy.tee.moolls.co.uk with domain abuse reporting channels, and submitting both phone numbers to the FTC and FCC for tracking. Consumers who believe they have already made a payment through a fraudulent checkout page linked to this campaign should contact their bank or credit card issuer immediately to dispute the charge and request a new card number.