NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

WTMorgan's avatar
WTMorgan
Tutor
Dec 02, 2017
Solved

Scam "Firmware Update" email - 12/01/2017

On 12/01/17, I received an email titled "Important Security Update from NETGEAR", sent from "<security@e.netgear.com>". It directed me to visit netgear.com/support to obtain a download of a new firm...
Security
  • IrvSp's avatar
    IrvSp
    Dec 02, 2017

    Yes, you got the RIGHT thing, the ZIP file with 2 files in it:

     

    K:\Inet DL\R7000-V1.0.9.14_1.2.25>dir
     Volume in drive K is Disk_K
     Volume Serial Number is 0F0B-10C0

     Directory of K:\Inet DL\R7000-V1.0.9.14_1.2.25

    12/01/2017  03:45 PM    <DIR>          .
    12/01/2017  03:45 PM    <DIR>          ..
    11/08/2017  10:31 PM        30,859,322 R7000-V1.0.9.14_1.2.25.chk
    12/01/2017  04:03 AM             2,894 R7000-V1.0.9.14_1.2.25_Release_Notes.html

     

    The reason Windows calls a file with an extension of .chk a "recovered file fragments" is because when CHKDSK finds file problems it creates a file with that extension.

     

    It is ALSO a file extension NetGear uses for it flashes.

     

    All you need do is open the browser to the Router, go to the Advanced tab -> Administration -> Router Update and browse for that .chk file and UPLOAD it.

     

    Alternatively from that same page you could CHECK for a new version, but sometimes it takes a few days after release for that to work and be able to get the new flash for you.

     

    There is no way to click on that file and have it do the update, only the process above.

IrvSp's avatar
IrvSp
Master
Dec 02, 2017

Possibly legit? New Firmware was released for the R7000, R7000-V1.0.9.14_1.2.25.chk, and I think it was yesterday that it happened? Not announced here but there is a thread for it.

 

  • WTMorgan's avatar
    WTMorgan
    Tutor
    Dec 02, 2017

    Thank you.  I would not have thought to question the email except that my attempt to follow the embedded link was blocked by the Malwarebytes security software on my machine as a suspicious site.  I will await response from a netgear rep before proceeding.

    • IrvSp's avatar
      IrvSp
      Master
      Dec 02, 2017

      I usually will not take a link in an e-mail when I suspect it might be spam or phishing. I enter the location manually, like in this case go to NETGEAR and click on SUPPORT and drill down into the site for downloads for the R7000.

       

      It could very well be suspect e-mail taking advantage that Netgear DID release new firmware. Not sure how someone would know you had an R7000 though other than Netgear (I never got an e-mail about an update, but maybe it was sent out in groups and takes a few days?).

       

      The new flash is available here --> https://www.netgear.com/support/product/r7000.aspx#download

      • WTMorgan's avatar
        WTMorgan
        Tutor
        Dec 02, 2017

        Well, that's the thing - the email DID NOT specifically identify the R7000 we own, which made me a bit more suspicious. A non-specific blanket invitation not identifying device model is going to seem sketchy - as though netgear's customer account base may have been hacked for addresses.

         

        It asked that we go to the site and enter our device model number, & etc.

         

        In any event, i independently accessed the download center through my legit netgear account to see what firmware updates were available. 

         

        If, as now seems likely, this was a legitimate "update" notification email, it was very poorly handled by netgear. The sender's address itself (security@e.netgear.com - 108.168.157.87) seemed odd and suspicious.  In an era of paranoia over malware and bogus communications, this practice doesn't much help customer confidence.