Crooks recycle old tricks and they may be successful

Dec 10, 2014 21:57 GMT  ·  By

An email claiming to come from an administrator features the logo of Norton Antivirus to trick unsuspecting users into entering their email credentials on a fraudulent web page.

The message does not provide too much information on the source, but it focuses instead on a fake problem the recipient may be having with the email account, namely malware distribution.

As is always the case with phishing scams, the crooks make the issue urgent by saying that the email account would be deactivated if steps to correct the issue are not taken, Hoax Slayer reports.

The email can be easily identified as a scam, but many users may be distracted by the fact that their access to the email account may be terminated without warning, and comply to the fraudulent request.

Crooks include Symantec copyright note on phishing page

A link is provided, purporting to be for a scanning service powered by Norton Antivirus that could eliminate the alleged malicious software in the email account.

A copyright note at the bottom of the page shows Symantec as being the owner of the service, thus giving the victim more confidence that the scanning is legitimate.

The phishing page includes fields for the victim to enter the email address and the password used to access the account in order to start a 30-second scan. After logging into the service, a message informs that the scan is being carried out, announcing a short while later that it completed.

At this stage, the email account credentials are already in the hands of the cybercriminals and unless the two-factor authentication (2FA) security option is enabled, they have free access to the content.

Hijacking legitimate email accounts helps in future scams

The reason behind this type of effort is not necessarily to pry into the user’s private communication, but to use the account for sending out spam that may evade automatic filtering of anti-spam tools.

This particular scam is not new and it has been in use since at least the beginning of 2013.

There are plenty of clues exposing the deceit, one of them being the vague information about the sender.

Legitimate services make their identity very clear specifically to prevent impersonation attempts from malicious third parties. Furthermore, they would address the recipient by the name they gave when subscribing to the service.

If none of these stick out and the user hurries to comply to the requests in the message, taking a look at the address bar may stop further action. If the URL does not match the sender’s identity, then a scam is clearly in development.