Angry phone call

Tech support scammers are pretending to be from Microsoft, McAfee, and Norton to target users with fake antivirus billing renewals in a large-scale email campaign. 

While browsing the web, most people at one time or another have been redirected to a tech support scam web site that pretends your computer is infected and then prompts you to dial a displayed phone number. 

Traditional browser-based tech support scam
Traditional browser-based tech support scam

These scams are widespread on sites using low-quality ad networks, but it is far less common to receive them via email.

In discussion with Nicolas Joffre, Regional SOC Manager at email security firm Vade Secure, BleepingComputer learned that the new email tech support scam started in March.

This scam began with low volumes of email but quickly escalated into volumes as high as 200,000 emails in a single day. In total, since the scam started, Vade Secure has filtered over 1 million of these emails targeting their customers, as shown by the graph below.

​ The volume of email for current tech support email scam

The volume of email for current tech support email scam
Source: Vade Secure

The emails pretend to be billing notices from Norton Lifelock, Microsoft, and McAfee that state the recipient will be charged between $350 to $399 for a three-year subscription unless they call to cancel the subscription. The threat actors constantly change the email subjects, but they all pretend to be a billing subscription from a well-known security security company.

As you can see below, one of the tech support scams pretends to be from Norton Lifelock and states that the recipient will be charged $349 for a three-year subscription unless they call the included number to cancel it.

Norton Lifelock tech support scam email
Norton Lifelock tech support scam email
Source: Vade Secure

As these are fake billing notices, the hope is that the recipient will call the number to be tricked into giving remote access to their computer.

When users call into the included phone numbers, the scammers will install various remote access software that threat actors will use to install malware on the computer.

The tech support scam

After learning about the scam, BleepingComputer had to give the included phone number a call to see how these scammers are operating.

When we called the number and told the scammer that we received a Norton subscription notice but do not have the software installed, they quickly asked what security software we use.

When we said we used Windows Defender, they quickly pretended to be from Microsoft and said they would charge over $300 for the subscription unless we cancel it.

To cancel the subscription, we needed to visit the 1800support.weebly[.]com site, which pretends to be a BestBuy Geek Squad support site.

Fake BestBuy GeekSquad support site
Fake BestBuy GeekSquad support site
Source: BleepingComputer

From there, we were walked through the downloading of the AnyDesk remote access software and told how to enable it for unattended access. Once the scammer took over our computer, they transferred a fake "Sonicwall Approved by the NSA" scanner, as shown below

Fake SonicWall scanner
Fake SonicWall scanner
Source: BleepingComputer

This program was meant to scare the target into thinking they were infected with something really dangerous and to allow the scammer to continue installing additional software, such as TeamViewer, and to collect personal information.

In reality, the above scanner is nothing more than a batch file that shows the output of the wevtutil.exe command clearing the target's Windows event logs.

Batch script powering the fake scanner
Batch script powering the fake scanner
Source: BleepingComputer

After the tool finished, the scammer asked us to open a Notepad window and input our name, address, phone number, and date of birth, which the scammers told us was needed to process the antivirus subscription refund.

While filling in some nonsense info, they began installing TeamViewer in the background and configuring it for unattended access to our computer.

As this process took too long to complete and surprisingly conducted by a very rude scammer, we disconnected from AnyDesk.

While BleepingComputer did not wait to confirm this scam's full outcome, Vade Secure believes that this collected personal information is sold to other threat actors for their own attacks. They also believe TeamViewer access will be used later to install malware or enlist the device into the threat actor's spam botnet.

Unfortunately, many people fall for these scams and provide threat actors remote access to their computers. Sadly, it is even more common for older people to fall for this scam as they may not have much experience with computers and are told attackers are trying to drain their bank accounts.

The best line of defense against scam emails is never to call a phone number included in an email stating that you owe money. Instead, you should visit the company's site and contact the number listed there to confirm if an email is valid or not.

Even more importantly, no legitimate company will require you to give them remote access or ask you to download software to process a refund.

As soon as a person tells you to do that, you should immediately consider it a scam and hang up the phone.

Related Articles:

Hijacked subdomains of major brands used in massive spam campaign

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

Russian hackers target German political parties with WineLoader malware