Norton Antivirus tech support scam lands Symantec reseller in hot water

NortonSymantec has terminated an agreement with one of its partners after a rival security firm caught the reseller using fake anti-virus warnings to lure customers into purchasing Norton at a bloated price.

Jérôme Segura, a senior security researcher for Malwarebytes, explains in a blog post how he came across a fake alert window bearing the following message:

"System Critically Infected. If you are not able to click on this button, Immediately contact Support toll Free Helpline 1-855-637-1900."


Coupled with some ominous audio warnings from a robotic female narrator, the alert message would be enough to scare many ordinary users into calling the helpline.

So that's exactly what Segura did. Upon connecting to the support number, he was directed to fastsupport.com, where he was required to grant a technician remote access so that they could perform a diagnostic of his computer.

Segura explained what was happening:

"This process is a core part of the scam because it allows crooks to tighten their hold on potential victims. With remote access, scammers can literally do whatever they want on the user’s machine including stealing documents to installing (real) malware."

On this particular call, the technician did neither. Instead he used Windows EventViewer to make the case that Segura's computer had been infected with viruses. To support his case, he opened up TaskManager and pointed out "csrss.exe," a core Windows registry scanner whose name attackers sometimes use to conceal their malicious programs. The technician did not bother to verify whether the process was legitimate.

Csrss

After a five-minute diagnostic, the technician offered two different support plans that both involved installing Norton Antivirus. The cheapest of these options totaled $199.99. (As a frame of reference, users can normally order one year of Norton Security Premium, which protects up to 10 devices, for $89.99.)

But the researcher was already one step ahead of the technician. After investigating the tech support scam's website, Segura found the name of an employee who was also employed at Silurian Tech Support (a fact confirmed through a LinkedIn search), reports Doug Olenick of SC Magazine.

The fake website also contained a number of Silurian documents, including a letter formalizing the company's reseller partnership with Symantec:

Symantec Silurian letter

Segura reported his discovery to Symantec. A spokesman for the security giant has since released a statement on the matter.

"While we can’t say conclusively who was behind this particular scam, we can confirm that this particular site has been taken down and that we are also in the process of terminating our partner agreement with Silurian. After identifying any abuse of the Norton or Symantec brand, we pursue our rights and defend our intellectual property, and where necessary will work with law enforcement."

As this case clearly illustrates, tech support scammers are scums of the earth that prey upon unsuspecting users and extort massive amounts of money from them in exchange (perhaps) for anti-virus software that they could purchase at a fraction of the cost.

Fortunately, we can help in the fight against these scams.

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm's forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

11 Responses

  1. Arnold G

    January 25, 2016 at 1:43 pm #

    i worked tech support for QVC in 2014 with company Premier Support and we had a customer that said we scammed them… then we found out one of these overseas scammers had made a scam company name same as ours… not sure what ever happened to that mess.

  2. Ralph Spooner

    January 25, 2016 at 4:34 pm #

    I got one just as good. Some fool calls you and tells you that they have detected a problem with your computer and want your permission to access your computer to help you fix what is wrong. What they didn't know is that I have a subscription to the HP after warranty support group. I am also running Norton 360 and a few other intrusion detection systems. When I tell them I don't need their services as I am fully capable of handling things myself, they go into this spiel about being Windows A+ certified techs and I need their help. I politely told him that he did not have permission to access my computer and if he did, I would come after him and his company. I then hung up the phone and wrote down the number from the caller ID for future reference.

    • coyote in reply to Ralph Spooner.

      January 25, 2016 at 10:20 pm #

      You're far too nice to those types of callers… the amount of fun you can have with these scammers is far too tempting for me to resist. I create all sorts of hurdles for them (many of them made up in real time), wasting their time only for them to be furious at me because they now lost time to cheat someone else (and me having made fools of them.. not that that is hard). Frankly, I think it is the right thing to do to waste their time because the longer a knowledgeable person can keep them busy the less time they have to cheat a vulnerable person. Of course, there are times when you might be busy and you can't do this but when you have nothing else better to do, it is a good service to the world.

  3. [not] Peter Norton

    January 25, 2016 at 6:40 pm #

    Who the heck is https://independent.academia.edu/MeganKerschieter in relation to "Silurian Tech Support"? oh i see, some idiot working there likes miley cyrus, got it.

    now this number "1-855-637-1900" is associated to many india type"tech co's"
    just google it:

    https://www.google.com/search?q=%221-855-637-1900%22&ie=utf-8&oe=utf-8

    this one looks just the same: VAGMine Infotech

    looks like they're all criminals that need to be booted off teh interwebz

  4. Chris Beran

    May 18, 2016 at 11:49 pm #

    I got on to a scam site last fall when I tried to load on Norton 360 that I had bought at Staples. I called the number and the scammer went through my computer by remote access. I became suspicious when the scammer told me that there were some Window files missing and he needed to transfer me to a Windows tech and there would be a charge. I told him to get out of my computer and I would take it to Staples to have Norton installed. He became very forceful telling me it was not necessary to go to Staples. He even called back twice trying to disuade me. I finally got on to Norton and used the chat and got a very nice tech who checked my computer thoroughly for 1 and 1/2 hours to look for any breaches. He taught me to use the power tools from the Norton program. Since I had 2 phone calls claiming to Norton staff wanting to fix some problem . I called them scammers and hung up on them. I learned Norton will not call you nor do you get to call Norton. The work by chat over the Internet.

  5. Mel

    June 23, 2016 at 1:08 pm #

    This happened to me yesterday evening whilst installing Norton, it said it had been installed successfully but there was an error and provided and error code and a toll free telephone number to call to fix the issue. The gentleman (and I use that term very loosely) accessed my laptop to 'fix' the problem showing the trojan in my system called 'toepig' and then he googling it to add to the drama and convince me it was genuine. He then went on to say that his tech team could sort this out for £299.00 at which point (it took a while) I realised I was being scammed. He got very pushy trying to convince me to pay the money saying that local IT specialists or PC World Tech Support would not be able to deal with this. Every time I tried to shut down my lap top he would keep moving the mouse to prevent me from doing so, so I switched off my wifi and and pressed the off button. I have had an online chat with Norton today. This evening they will run a full scan on my lap top to check all is well.

  6. Randy

    July 17, 2016 at 8:43 pm #

    I was scammed into calling the 800 number trying to load Norton. The tech guy needed to help in loading the Norton software. Ok I let hin into my computer. Long story short a few months passed and i discovered my id was stolen. Yes I would like to prove this was Nortons fault. Now I will have to watch my identity until I die.
    Thanks Norton.

  7. tim

    August 6, 2016 at 8:20 pm #

    I had the same problem, tried to load Norton and a phone number came up to call. I called the number and was told my computer has been hacked and it would cost $399 to fix it.I told the person I didnt have that much money and she said ok then $179,again i said i wouldnt pay that since i already paid $89 for Norton and she hung up on me.,I have had norton for 4 years and now i am done with them. I will never ever buy a norton product again

    • Cliff Anderson in reply to tim.

      August 8, 2016 at 7:20 pm #

      had the same problem as Tim, was having problems with my 360 Norton, went on line, for a number to call Norton, when the Norton company came up I called them, and they told me I had a problem with my Norton, and they said they could fix it, I should have knowing better, and should have looked at the company it was not Symantec it was a company name InfoTech 24/7, I turned my PC over to them, they worked on it for over 2 hours, and told me that I had over 9000 bad files, they said they fixed it, and them they told me they had a program that would give me Norton for 5 PC for 5 years plus 5 years of 24/7 care, the cost was $ 399.99 I purchased the agreement, at the end of the month as I was checking my C card Statement, I seen the $ 399.99 from Infortech, plus there was a charge from Norton (Symantec) for my renewal, I have had Norton for years, and it was up for renewal, so when I purchased from InfoTech, I just took it as my renewal, so I called Symantec to see why I was getting charged again for the program, and they inform me that the company that sold my (InfoTech) the up date was not Norton, the person then informed me that that company was on the scam list, when they check my program that InfoTech put in my PC , it had another person name, "Device Name: BarbaraJ-windows 10"
      so they used someone else protection for my pc, Norton Told me they do not sell a 5 year Norton, only up to 3 years, contacted my CC co. and they remover the charge, but now they put it back on, so had to send them the information, to try to get it removed, I call the company and told them they had scammed me and that I was going to Contact the IL. AG'
      s office and report them, they hung up on me, so I don't know if I will get my money back or not, I did find out on a scam list that there are a lot of company's that have used part of the same Name Like InfoTech, 24/7 with another name in from of the 24/7, so at my age and on a fixed income, it's hard to loose that amount of money,
      SO CHECK OUT ANY ON LINE COMPANYS BEFORE YOU BUY

  8. Bob

    August 15, 2016 at 5:21 pm #

    Attempted scam through Norton's chat line on Norton website. Sent me to another 800 # where they told me network corrupt and about to break apart. Wanted $250 for one year, $ 500 lifetime. In calling 800 # on Norton web site found it to be bogus site. However, Norton attempts to resolve issue very bad. Taking to my local IT company

  9. Zn diehl

    December 1, 2016 at 2:09 pm #

    I am getting foreign speaking people calling telling me I have trouble with my computer, I have Norton protection, but cannot get into computer now. How do they know?

Leave a Reply