Us Court Docs Expose Fake Antivirus Renewal Phishing Tactics

Hand holding money

In a seizure warrant application, the U.S. Secret Service sheds light on how threat actors stole $34,000 using fake antivirus renewal subscription emails.

The now-executed seizure warrant was submitted by Special Agent Jollif of the United States Secret Service (USSS) to recover funds stolen in a fake Norton subscription renewal email that led to the threat actor gaining access to a victim’s PC and bank account.

According to the court document submitted by a Special Agent of the United States Secret Service, the stolen money is stored in a Chase bank account belonging to someone named “Bingsong Zhou,” associated with phishing scams impersonating Norton Antivirus renewal subscriptions.

These phishing emails claim that the recipient is about to be charged for renewing an antivirus subscription license and to call the enclosed number to cancel it.

The victim calls the phone number listed on the email, and from there, the scammers direct them to perform various actions such as installing remote access software on their computers, infecting themselves with malware, and entering their account credentials on a phishing page.

This type of scam has been ongoing for many years, but Jollif stated that the activity has recently risen to higher volumes.

Illusionary deposit

One case highlighted in the court document mentions a victim who received a phishing email on November 28, 2023, alleging that he would be charged $349.95 for a Norton antivirus subscription unless he canceled the charge.

While the court document does not show the phishing email received in this attack, it is likely similar to the one shown below that was seen in past attacks.

Example Norton phishing email used in a similar scheme
Example Norton phishing email used in a similar scheme

After calling the scammers, the victim was tricked into giving them remote access to his laptop, supposedly needed to ensure the $349.95 was refunded to his account.

At that point, the scammer alleged that $34,000 was refunded by error, and the victim was asked to return the amount to avoid legal trouble.

The victim complied with the instruction, seeing that his checking account now had a new $34,000 deposit that he assumed originated from Norton.

In reality, the scammer had overlaid a blue screen on the monitor so the victim couldn’t see his actions and transferred $34,000 from the victim’s own Money Market (savings) account to their checking balance.

After the fraudulent activity was identified, on December 7, JP Morgan Chase restricted Zhou’s access to the funds in his accounts, and these funds were moved to a suspense account controlled by the bank.

Jollif’s application seeks to seize the $34,000 derived from Zhou’s activities, considering it potentially criminal proceeds.

Zhou now faces charges of wire fraud and involvement in a phishing scam and might also be charged with possible money laundering, bank fraud, and conspiracy to commit wire fraud.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.