Tech support scammers lure users with fake Norton warnings, turn out to be Symantec reseller

Tech support scammers lure users with fake Norton warnings, turn out to be Symantec reseller

Fraudulent tech support companies are well-known for taking advantage of unsavvy computer users by reeling them in with scare tactics and charging large amounts of money for bogus services.

In many cases, these crooks sell free security products (or straight up pirate them) for hundreds of dollars more than their actual retail price. Security vendors may not be aware of these practices let alone what kind of sales pitch scammers use to force those sales.

In one of the worst cases of abuse we have seen so far, a company that happens to be an active member of the Symantec Partner Program is scamming people with fake warnings designed to look like Symantec’s flagship product, Norton Antivirus.

[youtube https://youtu.be/39hw2m_9GwA&rel=0]

The alert message is displayed via a web page hosted on quicklogin.us/norton and urges users to call for support immediately saying: “System Critically Infected. If you are not able to click on this button, Immediately contact Support toll Free Helpline 1-855-637-1900”

Of course this screen is completely fake, but combined with an alarming audio message playing in the background, it may be enough to dupe some users.

We decided to call the toll-free line to see what kind of support we may get. Our expectations were not very high but we were not prepared for what we would eventually find out.

We were instructed to go to fastsupport.com to allow the technician to take remote control of our computer, therefore enabling him to perform a diagnostic. (Note: we strongly advise to never let anyone or any company you do not feel comfortable about, get remote access to your computer.)

login

This process is a core part of the scam because it allows crooks to tighten their hold on potential victims. With remote access, scammers can literally do whatever they want on the user’s machine including stealing documents to installing (real) malware.

Once the technician was logged in, he wasted no time in going for the most infamous trick used by tech support scammers, the Windows EventViewer.

eventviewer

Sadly, Microsoft’s central log and error reporting tool can all too easily be leveraged thanks to those yellow and red warnings, which the majority of the time are perfectly normal. Of course, for a scammer it’s the perfect way of claiming those are infections or viruses.

Not satisfied with this, the technician figured he could pull another well-known trick to seal the deal. This time he opened up the TaskManager and pointed out a particular process called csrss.exe.

csrss

This file is a core Windows program but as is often the case, malware authors often rename their samples to look like a legit file and use the same naming conventions.

Googling for csrss.exe returns several pages that promote registry scanners to look for errors associated with that file name, as well as descriptions labeling this process as a Trojan. That’s all the scammer really needs to make his point, without even scanning or checking whether the process in question is the real one or a piece of malware.

Having finished the diagnostic in a record 5 minutes, the technician proceeds to the sales part of his script. A couple of different support plans are offered:

  1. A one time fix and installation of Norton for $199.
  2. A one year warranty with Norton for $249.
invoice_notepad

At this point we still don’t know who this company is and the only information we have is their toll free number from the fake warning page. The payment portal shows that they are Silurian Tech Support.

A cursory background review of this company revealed some startling details including the fact that they were an official member of the Symantec Partner Program:

letter

We immediately reported all of our evidence to Symantec who took this case very seriously and confirmed that this company was indeed a member of the program. Symantec also let us know that they were going to take immediate action to resolve this issue.

It is a sad state of affairs when tech support scammers are not ashamed of using lies to sell their products and services but also double cross their partners, thereby inflicting brand and reputation damage.

Most of the time, the support provided by these crooks is way under par, and unsurprisingly we often hear about people’s computers getting worse than when they first called in. That leads to refund requests which sometimes end up with the very security vendors whose products are abused.

At Malwarebytes, we regularly hear about people that bought our software for hundreds of dollars, sometimes even over one thousand dollars. They imagine we sold it to them (often scammers impersonate big brands) and it is heart breaking to have to let them know they were conned and may never see their money again.

The best protection against tech support scams remains user awareness and extreme caution whenever facing one of those fake warnings. The crooks’ one and only weapon is social engineering since they rely on people believing their made up stories. If you are able to spot fake alerts and pop ups, stay away from them and do not call the toll free number.

If you are interested in helping out in preventing potential new victims, please write down the URLs, phone numbers and other details you are able to grab (screen captures also help). These can be reported on various forums and even to us directly so that we can shut down those scammers’ distribution points and help law enforcement go after them.

If you, or someone you know has already been scammed, feel free to check out our resource page for additional information on how to recover from these attacks and prevent further damage and unexpected costs.

Update: Silurian’s website went down shortly after we reported this case to Symantec.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher