Bogus Security Alerts Aren’t From Norton

Con artists are targeting thousands of people with tech support scams that pose as security alerts from Norton Security, researchers at Symantec have found. The phony alerts pop up in the browser and urge the victim to run a quick scan of their computer. If the user clicks “OK,” they’ll see a very realistic-looking fake Norton scan running, which tells them their computer is infected. They’ll then be prompted to download an “update” for their antivirus software, which is actually a potentially unwanted application (PUA).

The scammers use HTML and JavaScript to create a very convincing illusion that a Norton scan is taking place. The source code contains several invisible HTML div elements which are progressively made visible by JavaScript code. The scammers use JavaScript’s setTimeout() function to time the appearance of the HTML elements, which contain images of a real Norton scan. The victims believe they’re seeing Norton windows popping up on their computer. In reality, it’s all happening within the browser.

While tracking this scam, the Symantec researchers discovered an unsecured attacker dashboard, which revealed that the scammers had compromised tens of thousands of victims. The dashboard shows that the attackers are paid by the volume of successful PUA installations, and this particular scam netted them at least $25,000.

The researchers emphasize that there are several red flags here that could have alerted educated users to the scam. First, files on your hard drive can’t be scanned by a website in a browser. Second, Norton scans and updates are handled through the product’s GUI, while the initial alert in this case was obviously browser-based. Additionally, the scam contained several hard-coded elements that wouldn’t have applied to every user, such as “30 days of subscription remaining.”

New Phishing Attack Uses Google Translate to Spoof Login Page and Fool Victims

A clever use of Google Translate fools victims into believing spoofed authentication requests are being handled by Google itself.

Compromising credentials are the number one staple in any cybercriminal’s book of activities, according to the Verizon Data Breach Investigation’s Report. A new phishing scam uses Google Translate to hide a spoofed logon page when asking a user for their Google credentials. The user is sent a supposed Google Security Alert about a new device accessing their Google account with a “Consult the Activity” button to find out more.

The user is then taken to a spoofed Google logon page (shown below).

{ Click on images to view larger }

 

The kicker is that instead of seeing the mediacity.co URL, the cybercriminals use Google Translate to display the page, taking advantage of the random text Google uses, filling up the URL bar and obfuscating the malicious domain.

This type of campaign, given the specific execution, seems rather well-thought out. As long as the victim has a Google account and does not check the from address in the original email, there’s a solid likelihood they will fall prey to this scam, providing their Google credentials.

Google has since blocked the site, but a good reminder to be alert of scams like this.

Cybercriminals are constantly looking for new ways to compromise both online and on-premises credentials - as they provide the means to access data, applications, and resources useful to further a criminal campaign. Organizations need to educate users with Security Training to be watchful for phishing and online scams, providing detail on what to look for, and how to avoid becoming a victim.

Scam Asking For Money For Police

The Peoria County Sheriff’s Office has alerted the community of a phone call and mail scam asking for money to support the Illinois Police Association.

The mailing address comes from Wisconsin. The phone number is 309-832-0500. Officials believe the call is prerecorded.

If you call the number back, it will ask for your full name, phone number, and address so you may be put on the Do Not Call list.

Officials say that this is a scam and to hang up on the caller and throw away any mail from them.

The police will not solicit money over the phone or by mail.

Voicemail Phishing Email Scams are Targeting User Passwords

A devilishly ingenious scam plays on your user’s familiarity with business voicemail, seeking to compromise online credentials without raising concerns.
 

The phishing email appears to come from the legitimate voicemail vendor, RingCentral but includes a Microsoft logo (no doubt, to make the user associate Microsoft with this process – more on that in a moment).

Using subjects such as Voice:Message, Voice Delivery Report, or PBX Message, these emails contain another email as the attachment (to avoid detection by email scanning security solutions) containing the actual phish (shown below). 

The user is then prompted to click a link to Listen to the voicemail. In reality, the link takes the user to a spoofed Microsoft login page where they are promoted not once, but twice to logon (likely to ensure the passwords typed match so the cybercriminals can be certain the account details are correct).

As a nice touch, once the logon has completed, a generic voicemail does play – probably to throw users off the scent of this being a scam.

How to Identify a Phishing (Fake) Email

{ Click on image to view larger }

How to Identify - Numbered list below corresponds to numbered circles in image above.

1.   The from email address was a bit awkward. It was not dropbox.com but update-dropbox.com, this is a red flag. While in some rare cases something like this can be legit, this should put you on alert.

2.   Sense of urgency, again this by itself is not enough to make this a Phishing email it should put you on alert. Hackers play on your emotions and they use threats and urgency to get you off balance.

3.   If you hover over the links in this email (see inset image) you can clearly see that the link doesn’t go anywhere like dropbox.com at all. This is absolutely a Phishing email when you see this.

4.   This email threatens to delete your files and plays on your emotions, again another red flag.

5.   The vague nature of when the files will be deleted is a sure sign this is Phishing, they say they will be deleted on “Thursday” and don’t add an actual date?!? Red Flag!

6.   Hover Link

7.   Hover Link

8.   Hover Link