Go to listing page

Tech support scammers use fake Norton scans to dump unwanted applications

Tech support scammers use fake Norton scans to dump unwanted applications
  • Scammers crafted pop-up messages imitating Norton scans that led users to install potentially unwanted applications (PUA).
  • PUAs earn revenue for scanners, based on the number of installs they make on various computer systems.

Scammers are increasingly becoming creative with their methods. This time, they have relied on bogus antivirus scans to trick users into installing potentially unwanted applications (PUAs) on their systems.

According to security firm Symantec Corporation, a fake Windows alert is first displayed on targeted systems, which urges users to perform a ‘quick scan’. After users click on OK, scammers diligently display an antivirus scan that closely resembles Norton Security’s antivirus scan.

Once the scan is completed, users are notified of an apparent ‘PC infection’ and are asked to install an update. This update downloads PUAs into the user’s computer. PUAs would then perform malicious actions such as stealing information, mining cryptocurrency, changing browser settings, and more.

Scam Uses HTML and JavaScript

Symantec highlighted the source code in its blog on the scam campaign. It appears that scammers used HTML and JavaScript code for the purpose of creating the fake Norton scan.

“The scammer cleverly makes use of the setTimeout() function to change values over a period of time, giving the victim the illusion that an actual scan is in progress and that their files are being scanned,” indicates the blog.

Revenue from PUA installs

It seems that the scammers mainly relied on the number of PUA installations rather than the usual support helpline method, to generate revenue. Symantec also found a dashboard in its telemetry search that showed a revenue model for this scam. Hence, higher the number of clicks means higher the revenue for the scammers.

Cyware Publisher