Three New And Dangerous Versions Of A Norton Billing #Scam Are Making The Rounds…. Let Me Tell You About Them [UPDATED]

In the last few days I have become aware of three versions of a scam involving Norton products that you need to be aware of. All of them have the same theme. You’ve renewed your subscription for some Norton product and if you need further information or you want to dispute it, it provides a number to call. It will look something like this:

Now I took out the email header to preserve my client’s privacy, but there are three things that you should be aware if. The most important thing to be aware of is if you do not have an active subscription to a Norton product, do not call the number in the email. Beyond that, if you look at who sent it, you’ll likely see that it was sent from an email account other than Norton.com. That’s a big hint that this is a scam. The third thing that you should note is if you look at the quality of the English used in the email, it’s poor. And on top of that it creates a sense of urgency to get you to call the number. Which you should not do. In short, this is likely a phishing attempt to get your credit card details at the very least. Or further to that, create the conditions to access your computer to do who knows what to it.

The second version of this scam is something that I came across over the weekend when a older couple phoned me in a panic after getting an email with a PDF attached that looked like this:

Now I suspect that the scammers behind this one have moved to using a PDF because it is less likely to be picked up by an ISP’s spam filter. But other than that, it’s the same scam. And in the case of this older couple, it almost cost them $13,000 Canadian and caused them all sorts of grief when the scammer got hostile with them. I am working on a write up about this and that will be out in the coming days. But I will say that this illustrates how dangerous these sorts of scams can be.

The final version of this scam is extremely dangerous. Let’s start with the email that you will get:

You’ll note that like the second scam, you’ll get an email with an attachment. In this case an ISO file which is a disk image file that is commonly used to burn CD, DVDs or act as a container for software. It’s the latter that the scammer is using this for because if you open the ISO file (which by the way I absolutely do not recommend that you do), you will see this:

The first file that ends in .DLL is something that should set off alarm bells. Further investigation on my part shows that this is designed to deliver a virus payload to a Windows computer. And what sort of payload is it? Well, I will get to that in a moment. But let me get to the part about what happens when you use VirusTotal which is a website that analyze suspicious files, domains, IPs and URLs to detect malware and other breaches and automatically share them with the security community:

In this case, the payload was only detected by 6 of 66 virus scanners. Which is bad as that implies that this virus payload is ether new or new and improved. I am guessing the latter, but in either case, this underlines why you should never, ever click on anything in a suspicious email.

But what is the payload? This based on this write up suggests that this is a trojan that in short is designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. But because I could not identify the exact trojan in use here, it may do other things that are even more dangerous.

The other thing that I will note is that there’s a phone number in the email. That suggest to me that the the person behind this will also act in the same manner as the first two Norton scams. Something that I briefly looked into by phoning the number and getting a supposed employee of Norton with an Indian accent.

That covers these Norton billing scams that you should be aware of. In the coming days, I will be doing a write up about the second scam in detail so that you can see what the scumbags behind these scams will do to you if you fall for these scams. And I will also be doing a more detailed investigation of the third scam to see if I can get any additional details that I will share with you in hopes of keeping you safe. So stay tuned for all of that. But in the meantime, be careful out there folks.

UPDATE: Well, investigating the third scam didn’t last long.

I phoned the number that was listed in the third scam (which for the record you should never ever do) using a phone that doesn’t allow the caller ID to be shown at their end and the phone was answered by someone with an Indian accent claiming to be working for the “Norton LifeLock Cancellation Department”. I then pretended to be someone who had gotten the email and asked the guy why I have got charged. He then proceeded to try and supposedly help me to cancel the subscription to Norton LifeLock which of course I didn’t have a subscription to said product. I guess it was at that point he noticed that I was calling from a blocked number and hung up the phone. I tried two more times and got two more people with Indian accents and got the same results. I am guessing that their playbook involves grabbing the phone number so that they can call back if they have to, or to use it to perpetrate future scams, or both. I am also guessing that if they see that the number is blocked, they see it as a threat and they hang up the phone.

So my take away is that they don’t get you with the virus, they’re going to get you if you call the number. Thus don’t fall into either of those traps by not opening any attachment that you get in any email that might be suspicious, or phoning any number that is associated with an email like this.

One Response to “Three New And Dangerous Versions Of A Norton Billing #Scam Are Making The Rounds…. Let Me Tell You About Them [UPDATED]”

  1. […] she got. The email that she received was clearly a Norton billing phishing email that I spoke about here. Specially it was the second variant where they attach the “hook” for the phishing […]

Leave a Reply

%d bloggers like this: