top of page
krenenlatisandbou

Remote Access Trojan used by Norton Lifelock Scam: How Hackers Impersonate Norton and Steal Your Dat



Cybercriminals behind a recently observed phishing campaign used a clever ruse in the form of a bogus NortonLifelock document to fool victims into installing a remote access tool (RAT) that is typically used for legitimate purposes.




Remote Access Trojan used by Norton Lifelock Scam



It is used for persistence, its role is that of a backup solution for installing the NetSupport Manager remote access tool. Before proceeding, the script checks for the presence of Avast or AVG antivirus and stops if any of the two are running on the victim host.


Browser pop-ups are not the only way for scammers to deceive you. Another method that scammers frequently use is unsolicited cold calls. For example, you would receive a call from someone claiming to be from Norton. The caller will falsely claim your computer is infected with malware or suffering some fictional problems and will then request remote access to fix it. Once the scammer has gained remote access, they may steal your personal information and credentials, install malicious software, or simply upsell their "technical support" for a problem that does not exist.


Calling any of the toll-free numbers will connect you to the same call center from which the scammers are operating. The scammer will ask you to install software on your computer that allows them to gain remote access to it. They will then run several benign commands that may look as if they are trying to fix your problem. In our experiment, the scammer quickly determined that the computer was part of a botnet (which it was not), and that the fictional botnet infection contributed to the failure of the download. To fix the computer, the scammer offered to install a "firewall" for $149.99.


What scam model this spam campaign follows is unclear. It is most likely an amalgamation of a refund and tech support scams. Both require the scammers to remotely access victims' devices, which they do by presenting themselves as "support" or "expert technicians" and guiding users by phone.


Once access is established, in refund scams - victims are asked to log into their online bank accounts. Cyber criminals can manipulate what is seen by editing website HTML. Hence, the bank account's page is edited while scammers use the remote access software features to darken the users' screens. However, changing the HTML does not affect the actual funds in the bank account, but when victims look at theirs - they see a different sum. Alternatively, scammers can achieve this by moving money within the accounts (e.g., from checking to savings).


There is a myriad of other ways that such scams can be used. After remotely accessing the device, scammers can run fake system scans and claim to have found various infections, connected hackers, etc. Therefore, they can push for users to continue with their security product/service purchase and ask for payment using the previously mentioned methods, which ensure that the funds could not be retrieved by the victims. The criminals may also perform fake malware removal manually and request payment for their "services".


If you've allowed cyber criminals to remotely access your device - first, you must disconnect it from the Internet. Afterward, uninstall the remote access program the scammers used (e.g., AnyDesk, TeamViewer, etc.) since they may not need your consent to reconnect. And lastly, use an anti-virus to run a complete system scan and remove detected threats.


Tech support cold calls are when an individual calls the target, claiming to be from a reputable company and states that they have found malware on the computer. The criminal will then try to get the user to install a type of remote desktop software under the pretext of removing the infestation, which would allow the attacker access to the computer in order to install real malware. In addition to attempting to install malware on the machine, these scammers will often ask for a fee to fix the issue.


That remote access allows the scammer to see your screen, download other malware (important for round two that can pop up Norton Anti-virus warnings) and guide you to exposing your bank details so he can deduct a low fee for the assistance.


From there, they are instructed to download software to stop the subscription. The download actually gives operators remote access to the computer. Once inside your PC, the scammer can ask you to input personal information or snoop around as they please.


Also, if the requested information is submitted, a tech support scammer will contact you claiming there was an error with the submitted information and will ask you for remote access to your computer. If access is given, the scammer will install spyware which steals personal information.


Browser pop-ups are not the only way forscammers to deceive you. Another method that scammersfrequently use is unsolicited cold calls. For example, youwould receive a call from someone claiming to be fromNorton. The caller will falsely claim your computer isinfected with malware or suffering some fictional problemsand will then request remote access to fix it. Once thescammer has gained remote access, they may steal yourpersonal information and credentials, install malicioussoftware, or simply upsell their "technical support" for aproblem that does not exist.


Calling any of the toll-free numberswill connect you to the same call center from which thescammers are operating. The scammer will ask you to installsoftware on your computer that allows them to gain remoteaccess to it. They will then run several benign commandsthat may look as if they are trying to fix your problem. Inour experiment, the scammer quickly determined that thecomputer was part of a botnet (which it was not), and thatthe fictional botnet infection contributed to the failure ofthe download. To fix the computer, the scammer offered toinstall a "firewall" for $149.99. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page