14 DAY TRIAL // Malwarebytes, cyber-security vendor and one of Symantec's rivals, has caught one of Symantec's resellers running a tech support scam that was scaring users into thinking they were infected with malware and then graciously offering to sell Symantec's security software at inflated rates.
This type of online fraud is known in the industry as "tech support scam," and most of the times, scammers pose as official support staff for companies such as Microsoft, Google, or Apple.
In this particular case, Malwarebytes was investigating a tech support scam reported by one of its users, which was being hosted on quicklogin.us/norton.
Tech support scam using Symantec's Norton brand
The page showed a fake Norton security alert that asked users to call a US phone number for technical assistance in removing a malware infection. Malwarebytes' team played along with the scam just to analyze the fraudsters' tactics.
After calling the number, a tech support representative asked the caller to allow them remote access to the computer so they could inspect it for malware. This is normal operations in all tech support scams, and if users stopped giving remote desktop access to unknown people, this scam would no longer be used.
With access to the victim's computer, the tech support operator proceeded to show them some errors, which technical users would have recognized as Windows' event log viewer. This window lists internal operating system events, most of which are nothing to worry about and are part of the operating system's normal operation. The problem is that these log events often show a bright red or yellow error sign that can be misinterpreted by users.
Additionally, to hook in more suspicious victims, the tech support operator also showed the user a listing in the Windows Task Manager called csrss.exe. This is a normal Windows process, but which malware authors have abused in the past. Asking the victim to google this term would bring up many pages where this process was labeled as malware, after various viruses disguised themselves under this name.
Here is where the scam finalized, and the tech support scam would be "willing" to help the victim after they paid a one-time fee for repairing the computer and for a version of Norton Security, all for $199. Additionally, the victim also had the option of purchasing a one-year warranty with Norton for $249.
Symantec's Norton software is generally sold for prices between $25 and $50 per year, so the tech support scam was making a nice profit for each sale scam.
Scammers were an Indian-based Symantec reseller
Malwarebytes' researchers agreed to pay for one of the options just to gather more clues about the scammer. They were then taken to the payments page of Silurian Tech Support.
Silurian is an official Symantec-certified reseller, operating from North India. As part of Symantec's reseller program, the company was being granted access to Symantec's security products at lower prices, which Silurian was obviously selling peddling through illegal practices to users at inflated prices.
As soon as Malwarebytes' investigation was published, Silurian's website was taken offline, and only their Twitter page remained online.
Malwarebytes also informed Symantec, who said in a statement for The Register that it terminated its contract and would work with law enforcement to defend its brand and intellectual property.
