Tech Support Scammers? Not So Organized Criminals

Technical support scams have been around for years, but they’re getting more and more popular recently.

When you're browsing the internet, you’ve probably encountered a situation where suddenly a website opens, forcing your browser into full-screen mode. It shows a variety of flashy pop-ups and banners labelled “access to your computer has been blocked for security reasons.” Then, the website prompts you to call a supposedly, “tech support company”, and warns you that your personal information is at risk if you ignore the warnings. 

If you have experienced this before, then you’ve come across a “technical support scam,” and it is perfectly safe to simply close the browser. Technical support scams have been around for years, but recently, they’re rapidly getting popular, especially on pirated/unlicensed streaming sites for movies and sporting events, torrent sites, and other scam sites. 1 These fraudulent companies have evolved massively and adopted more aggressive tactics to lure vulnerable consumers.

The process begins when you visit a site that redirects you to a different site hosting the technical support scam. After you’re on the scam site, you’ll receive pop-up notifications disguised as real error messages designed to trick you into believing they're genuine software support services on behalf of major technology companies. Most often, the error messages contain fake virus warnings or highlight outdated antivirus software. Or they might show a Windows “blue screen of death”, an error screen displayed on Windows following a fatal system error, which will also contain a fake tech support phone number, that will be picked up by a scammer when a victim calls.

Tech support scams don’t necessarily target specific individuals or even actual customers of the brands that they pretend to be. They are a global problem potentially affecting everyone who is vulnerable and unaware. While researching an increase in scams targeting the Norton brand, NortonLifeLock Threat Labs also observed tech scams that target Microsoft, Apple, and Amazon customers.

According to the geographic regions they are targeting, scammers often adjust their scam websites to better trick victims into believing they see authentic errors. For example, the following screenshot shows the same page as above, but the language and phone number have been adjusted. 

Even though stories of people victimized by scammers are widely covered in the news, the scams continue to be a profitable business model for fraudulent organizations because unsuspecting, or any users who are unknown about the scam industry continue to fall for them.

Why do we keep falling for them? Unfortunately, there’s no straightforward answer. Scammers are trained to exploit the victim’s emotions. Being a human, everyone responds to emotional triggers. The stronger the response, the higher the chance the scam is successful. Technical support scams usually exploit fear and urgency as emotional triggers. Fear is the most manipulated emotion, but it often works best when combined with urgency.

The use of fear and urgency is demonstrated well in the following fake security warning. The notification falsely warns that if the user does not call Microsoft support immediately, the device will be locked. Additionally, ignoring the warning will put their personal information at risk and lead to a Windows registration suspension. Of course, nothing like that would actually happen, and if you call the provided number, you’ll likely become a victim of the scam.

Scammers frequently combine fear and urgency to make you anxious, which will likely result in them successfully tricking you into following their false instructions. Remember, if you come across a website that fills your screen with fearful messages, it is possible that whoever created it wants you to panic. Recognizing these feelings of fear and urgency can serve as a warning that something may not be quite right. Taking careful steps can help you avoid becoming the next victim.

Tech Support Scams using the Norton brand

Browser pop-ups are not the only way scammers can deceive you. Another method that they frequently use is unsolicited cold calls. For example, you might receive a call from a scammer claiming to be from Norton. The caller will try to persuade that your computer is virus infected or has fictional problems and will then request remote access to fix it. Once the scammer has gained remote access, they could easily steal your personal information and credentials, install malicious software, or simply ask you to pay fees for solving a problem that does not exist.

A basic method for fraudulent Norton tech support scams is “Setup and Activation,” where scammers try to trick you into believing you are receiving service from a legitimate Norton employee or service provider. Many of these scams appear in search engine results, and scammers often use ad services to ensure that their websites appear in the first place, sometimes before the official Norton website.

Another common method to ensure that websites are listed in search engines is Search Engine Optimization, or SEO for short. SEO is basically putting keywords related to a particular subject on a website or article page so that people quickly find answers to what they need. It evaluates the results to determine which content is most likely to answer your query. In simple terms, SEO is there to ensure that the website is responding to the search engine. For example, a website could use the word “Norton Support”, and the search engine will know that it should display this website as a result of your query. Through this, scammers can place the most relevant keywords on their websites to trick users. 

Here’s an example of a typical Norton tech support scam. If you typed ‘Norton support’ into a search engine, you could come across a link to a website such as hxxps://2020-norton[.]uk[.]com, which brings up the fraudulent website that is shown in the figure below.

The site has some general information on setting up a Norton product. The scammers try to trick you into believing that this is a legitimate site by overlaying the actual links with norton.com/setup and misusing Norton logos. Once you click on the "Get Started" button, it redirects you to the next stage of the scam: the download, which in this case is hosted on hxxps://a1norton[.]com. 

The next page looks similar to the first one shown above as it, too, has generic information and fraudulent logos, but it tries to deceive you into downloading the software. Clicking on the "Start Download" button directs to yet another site (hxxps://yelubook[.]com/setup), where you’ll be asked to provide personal information and, optionally, the Norton product key. This scam is geographically restricted to the United States of America, the United Kingdom, Australia, and Canada.

The website's appearance changes slightly, and you may also notice the “We Are Here!” icon in the right bottom corner, which brings up a chat window that allows direct contact of the fraudulent “support” team. After providing the required information, the browser will redirect you to another page designed to look like you’re downloading the software.

However, this “download” page is simply a filler page to make this scam more believable before the following error page is shown with fake support phone numbers.

Users are often tempted to call these toll-free numbers, which will connect them to the same call centre from which the scammers are operating. The scammer will ask you to install software on your computer, allowing them to gain remote access to it. After accessing your device, they will run several benign commands that may appear like they are trying to fix your problem. In our experiment, the scammer quickly determined that the computer was part of a botnet (which it was not), and that the fictional botnet infection caused the download failure. To fix the computer, the scammer offered to install a "firewall" for $149.99.  

The “N0rt0n helpli0ne” support scam campaign

NortonLifeLock Threat Labs researchers have been tracking an extensive support scam campaign targeting the Norton brand started in early November 2020 and is still ongoing. During this time, on average, the scammers registered and used almost six new domains per day for 577 total domains. These domains were registered with relatively obscure top-level domains .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea), and .ml (Mali). However, the hosting infrastructure behind the attacks was not visible because the servers were set up to use a content delivery network service offered by Cloudflare.

Like other websites described in this article, users redirected to this scam site will experience a supposed antivirus scan that always detects the same virus. After the page switches the browser to full-screen mode, several warning messages pop up:

• Your PC is infected with fiver viruses!
• ACTION REQUIRED!
• Your Computer is Infected with TROJAN!
• Threat Detected!

Simultaneously, a beeping sound will be played in a loop along with a computerized female voice announcing that the “computer has been locked up” and to “call the support number.”

Below is an example URL as used in the scam campaign:

https://gop0her484[.]gq/XN0rt0nDhelpli0nexY1850563/WinY8884sec0urity0119yyY88Y/

While the scam URLs contain several random characters and digits, all entries included the terms “N0rt0n” and “helpli0ne,” prompting us to name this campaign accordingly.

In total, we observed over half a million attempted redirects to URLs used in this support scam campaign in our customer telemetry between Nov. 8, 2020, and Feb. 16, 2021.

Norton Safe Web technology, which scans, categorizes, and provides a reputation score for websites, was able to block 64.2% of attempted redirects to URLs used in this support scam campaign. Based on automated analysis and user feedback, Norton Safe Web delivers this researched information to improve our detection and strengthen the protection of our customers.

There are two distinct methods in which scammers might attempt to make you believe they’re a legitimate call support centre operated by real business bodies and from a location that is familiar to you. In the first one, scammers purchase legitimate phone numbers from VoIP (Voice over Internet Protocol) providers, and sometimes they even buy toll-free numbers to maintain the legitimacy of their hotline.

Scammers will purchase phone numbers with the country code matching the geographical location of the intended target. To you, it will appear as if you were dialling a call centre within your country when, in fact, the call is routed over VoIP to the location of the scam call centre. Just because a phone number appears to correlate to where you live (i.e., your country) does not mean the person on the other end of the line is legitimate or even local.

The second method scammers use is a bit more sophisticated, but fortunately, it is only used by scammers who cold call you. This method uses spoofing technology, which exploits caller IDs to make it appear that the caller is coming from a well-known source. For example, this method is commonly used in tax scams, where the scammer spoofs their number, so it seems that it is coming from the Internal Revenue Service (IRS). Users are more likely to answer the call if they see that the call originates from a trusted source than from an unrecognized or unknown number.

Undercover with a Tech Support Scammer

To better understand how these scams work, we decided to call a Norton-impersonating scam support line, disguised as a victim and presented a problem that did not exist. We were greeted with an automated message: “All of our representatives are busy helping other customers, your waiting time could be longer than usual. Our working hours are from 9 a.m. to 5 p.m. Eastern Standard Time. If you are calling us out of our business hours, please call us back within our opening hours.”

To our surprise, the scammer picked up the line shortly after the message ended, greeting us with: “Hello, thank you for calling support. How may I help you?” We noticed that the scammer did not mention the company he was providing support for. This is a common technique for scammers because call centres often offer scams to various companies.

We introduced ourselves and informed him that a Norton AntiVirus pop-up appeared on-screen while checking our emails, prompting us to call support. The support agent proceeded with a verification process by initially asking for personal information, including full name, email address, and date of birth. Pretending to verify my details, he said, “OK, see if the Norton came up that moment when you were looking at emails, you might have some security problems [sic].” Without taking a closer look at our issue, he continued, “So in order to fix your problem, we have to, you know. Like, run some security tools for that, to remove all the viruses or something like that. There will be a one-time charge of $150. Would that be okay for you?”

Knowing the truth, we asked whether he thought that our computer had severe problems. He knew nothing about the state of our computer, and he only replied with, “Yes, so what you need to do is get a prepaid card from the nearest store, Walmart, Walgreen, or 7Eleven, or something like that. Once you have activated the card, call back on the same number and ask for my name, David Parker.” We unwillingly agreed to purchase the prepaid card and told him that we would call back in about an hour.

We obtained virtual credit card details and called him back. It took us a few tries to get through to the support line queue, indicating that the hotline was remarkably busy that day and that there wasn’t enough space to be placed in the queue.

After some time in the queue, “David Parker” answered the phone. He seemed pretty happy, and maybe a little bit surprised that we called him back. He asked us whether we managed to get the card, where we purchased the card, and how much money we loaded onto it. We confirmed all details with him and were asked to provide the credit card number, expiration date, and the three-digit security code for a total of three times.

Once he was done writing down the correct details, David prompted us to follow a link to a remote support tool that would allow him to log on to our computer. He explained the steps to us that would grant him full remote access to our computer, a specially created virtual machine. This level of access allows anyone to copy files, install and remove software, and even reboot the entire system.

David’s level of technical expertise became apparent once he logged onto the computer. He opened the command line terminal and ran “tree,” a basic command that cycles through the hard drive’s directories and displays the results in the terminal window (interface used to display command lines). To a non-technical person, this might sound complex, and the command may seem like the scammer is troubleshooting our system, when, in fact, it contributes nothing to solving the “issue” we have been having.

David continued to open Windows Event Viewer, a built-in tool that allows users to view logs, and filter for warning messages, to tell us that we have approximately 1,000 viruses on the computer. Again, to a relatively unfamiliar user, these warning notifications could point out that something is incredibly wrong with their devices. But, those messages are quite a normal thing to see in Event Viewer.

We had to wait for about 20 minutes while the scammer was looking through the contents of the computer. He did not perform any additional troubleshooting steps and told us that he would transfer the call to a level-five technician. Then, the level-five support agent spent another 20 minutes looking through the computer to make it appear as if he was working, while simultaneously combing through the file system, probably looking for any sensitive information to copy and extract using the backend of the remote client.

If it isn’t clear by now, these scammers wasted nearly an hour of our time pretending to fix an issue that didn’t exist while charging us $150 for the fake privilege. Had any files with personal information existed within our virtual research machine,  there’s no doubt that these scammers would have stolen them and used them for some other illicit purpose.

How to identify tech support scammers:

• Recheck the web address you are visiting. For Official Norton Support, confirm that the website’s URL address displayed is  https://support.norton.com.2
• Never make payments over the phone just because you’re being asked to. In case you need to make urgent delivery, verify that the number you’re calling is legitimate, and that you have initiated the call. Use official contact details from the company website.
• Never share your financial details with someone who has called you unexpectedly. Companies like NortonLifeLock, banks, utility providers, and governments will never cold call customers and ask for personal information, bank details, or gift card payments over a phone call.
• You will NEVER receive an unsolicited call from Official Norton Support to fix issues with your computer for money (You will only receive a call if you request it.)
• Official Norton Support comes with your subscription at no additional cost. Our support teams will never ask that you pay for support in gift cards or Bitcoin.
• If your computer displays pop-ups and error messages with a phone number, don’t call the number. For Norton subscribers, keep in mind that it will never ask you to contact Official Norton Support via a toll-free number when the software detects a threat.

You must never trust an unknown company or support agent to gain remote control over your computer or conduct a remote session on your devices. Keep your laptop and other devices up to date with the latest version of reputable security software with malware protection.

What we are doing to protect  customers

Tech support scams are a plague on the internet, relying on fear to trick innocent people into spending their hard-earned money on services they don’t need. Detection and disruption of these tech support scams take time and continuous effort. Like many social engineering attacks, customer awareness and education are critical defences. To help protect and educate NortonLifeLock customers, we publish blogs, support articles and resources, and videos on tech support scams.

We are also committed to tackling the issue head-on through new research initiatives. Scammers’ activities leave behind clues that we monitor, such as domain names that deceivingly mimic our brand. Additionally, we are developing machine learning techniques to filter through suspected scam pages. We expect to continue these research efforts and continue working with authorities to identify and implement proper actions against organizations that might harm our customers and infringe our intellectual property.

We empathize with our customers and dedicate research and development efforts to educate and help
protect our customers from these scams.

What You Can Do If You Have Been Scammed

If you feel you have been misled and/or have been unfairly charged money by another company, we recommend the following actions:

1. Change your passwords: to your computer, to financial institutions, to your Norton Account, and any other password-protected websites you visit. If you’re an existing Norton customer, log into your Norton Account at my.norton.com.  
2. Run a Full System Scan to detect and eliminate viruses in your computer.  
3. Contact the company that charged you and request a refund.  
4. If you cannot get a refund directly from the company, contact your bank to report the problem.  
5. File a complaint with appropriate authority: Competition & Consumer Protection Authorities Worldwide

1 https://www.nortonlifelockpartner.com/security-center/how-to-avoid-online-scams.html

2 https://support.norton.com/sp/en/in/home/current/contact-phone