A member of Symantec’s Partner Programme has been scamming web users into paying over the odds for security products they might not even need.
Researchers at Malwarebytes found a disingenuous tech support company called Silurian Tech Support had been using scare tactics and social engineering to convince people to accept their help and purchase Symantec services like Norton Antivirus.
Silurian lured in unsuspecting users with fake warnings displayed on web pages stating “System Critically Infected. If you are not able to click on this button, Immediately contact Support toll Free Helpline 1-855-637-1900.”
The web page was fake, but Jerome Segura, senior security researcher at Malwarebytes, said some would be alarmed by the message, which was supported by an audio track in the background.
Researchers were directed to a support page where they allowed a Silurian “technician” take control of their machine. Segura said this is a core part of the process because the scammers can do whatever they want – including the installation of genuine malware on a previously uninfected system.
“Once the technician was logged in, he wasted no time in going for the most infamous trick used by tech support scammers, the Windows EventViewer,” he continued.
“Sadly, Microsoft’s central log and error reporting tool can all too easily be leveraged thanks to those yellow and red warnings, which the majority of the time are perfectly normal. Of course, for a scammer it’s the perfect way of claiming those are infections or viruses.”
The technician then opened TaskManager and identified a genuine Windows process as malware, based on the argument that authors often disguise malicious programmes with legitimate file names.
Based on this evidence, Malwarebytes was offered a one-off fix and installation of Norton for $199 or a year-long warranty for $249. It was during the payment process that researchers found out the name of the fake support company and discovered it was a Symantec partner.
Malwarebytes informed Symantec about the scam and it was confirmed Silurian was indeed a member of the partner programme. Silurian’s website has now been shut down, but Malwarebytes says such cases harm both PC users and the security companies involved. Indeed, Segura said it is not uncommon to hear users duped out of hundreds, and sometimes thousands of dollars.
“Most of the time, the support provided by these crooks is way under par, and unsurprisingly we often hear about people’s computers getting worse than when they first called in,” he said. “That leads to refund requests which sometimes end up with the very security vendors whose products are abused.”
Segura said the only real way to prevent such occurrences from happening is to raise awareness of the issue as social engineering is the scammer’s most potent weapon. He said security vendors are often unaware of the tactics employed by these scammers.
A Symantec spokesperson told ChannelBiz sister site TechWeekEurope: “While we can’t say conclusively who was behind this particular scam, we can confirm that this particular site has been taken down and that we are also in the process of terminating our partner agreement with Silurian.
“After identifying any abuse of the Norton or Symantec brand, we pursue our rights and defend our intellectual property, and where necessary will work with law enforcement.”
It has not been a very good week for Symantec. It is getting $1bn less cash than it had originally hoped for in the sale of its Veritas storage business, the company said on Tuesday. The amended terms come after “uncertainties” developed regarding the transaction. But both parties have now agreed that all key conditions have been satisfied, and the deal will close on 29 January.
Security vendor Flashpoint debuts partner programme following $28m funding
Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture
Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”
Ensono highlights importance of mainframes still to major industries
Security vendor VASCO looks to replicate UK and German set up across EMEA
Splunk details investment in Partner+ programme at .conf2017