Malicious Mimic of the Symantec Blog Prompts Visitors to Download Malware

Wednesday, 22/11/2017 | 07:48 GMT by Rachel McIntosh
  • The password-stealing OSX.proton masquerades as the 'Symantec Malware Detector'.
Malicious Mimic of the Symantec Blog Prompts Visitors to Download Malware
FM

A report from the California-based software company Symantec has warned of a fake website mimicking the Symantec blog. According to the warning, the malicious website mirrors the content posted on the Symantec blog and attempts to trick readers into clicking on infected pages.

The fake site is listed under the URL symantecblog[dot]com, and even has its own SSL certificate. However, according to Malware Bytes, the certificate was issued by Comodo, and not Symantec. In an attempt to prey on fear, the fake blog warns of the emergence of a new version of a piece of malware called 'CoinThief', which allegedly first appeared in 2014.

Symantec’s legal team is attempting to bring an end to the scam, and has updated Norton and Symantec products to detect the OSX.proton malware.

Skillfully Crafted: the Malware Appears Legitimate, Requires Authorisation

The infected pages offer their visitors a link to a free download of the 'Symantec Malware Detector', a fake piece of security software that, according to Symantec, “claims to detect and remove infections caused by a new variant of the CoinThief malware.” The link will begin the download of OSX.proton, a piece of malware that steals valuable information (i.e. passwords) through a 'back door' in the infected computer and may also download additional malicious files.

When run, the Proton malware appears legitimate; it even uses the Symantec logo. The malware prompts users to agree to a check, saying that their authorisation will send a “non-identifying” report to Symantec Inc. to “improve the heuristic engine.”

If authorisation is not provided, the malware will not be installed. However, it is unlikely that anyone who downloaded the malware thinking that it was a legitimate piece of security software would not provide authorisation at this point.

Twitter Accounts Share the Fake Website

Malware Bytes has also warned that links to the fake blog are being spread on Twitter by both fake and legitimate-seeming accounts. Some of the legitimate-seeming accounts could have been hijacked using information stolen by the Proton malware; others could be well-intended Twitter users who have been tricked into thinking that the fake Symantec Malware Detector is really protecting them.

While this particular piece of malware is not specifically designed to gather information regarding cryptocurrency, the warning against the alleged CoinThief software seems to indicate that crypto users are of special interest to the malware’s creators. As cryptocurrency scams are becoming more popular and more sophisticated, keep your software and your personal knowledge of crypto scams updated.

A report from the California-based software company Symantec has warned of a fake website mimicking the Symantec blog. According to the warning, the malicious website mirrors the content posted on the Symantec blog and attempts to trick readers into clicking on infected pages.

The fake site is listed under the URL symantecblog[dot]com, and even has its own SSL certificate. However, according to Malware Bytes, the certificate was issued by Comodo, and not Symantec. In an attempt to prey on fear, the fake blog warns of the emergence of a new version of a piece of malware called 'CoinThief', which allegedly first appeared in 2014.

Symantec’s legal team is attempting to bring an end to the scam, and has updated Norton and Symantec products to detect the OSX.proton malware.

Skillfully Crafted: the Malware Appears Legitimate, Requires Authorisation

The infected pages offer their visitors a link to a free download of the 'Symantec Malware Detector', a fake piece of security software that, according to Symantec, “claims to detect and remove infections caused by a new variant of the CoinThief malware.” The link will begin the download of OSX.proton, a piece of malware that steals valuable information (i.e. passwords) through a 'back door' in the infected computer and may also download additional malicious files.

When run, the Proton malware appears legitimate; it even uses the Symantec logo. The malware prompts users to agree to a check, saying that their authorisation will send a “non-identifying” report to Symantec Inc. to “improve the heuristic engine.”

If authorisation is not provided, the malware will not be installed. However, it is unlikely that anyone who downloaded the malware thinking that it was a legitimate piece of security software would not provide authorisation at this point.

Twitter Accounts Share the Fake Website

Malware Bytes has also warned that links to the fake blog are being spread on Twitter by both fake and legitimate-seeming accounts. Some of the legitimate-seeming accounts could have been hijacked using information stolen by the Proton malware; others could be well-intended Twitter users who have been tricked into thinking that the fake Symantec Malware Detector is really protecting them.

While this particular piece of malware is not specifically designed to gather information regarding cryptocurrency, the warning against the alleged CoinThief software seems to indicate that crypto users are of special interest to the malware’s creators. As cryptocurrency scams are becoming more popular and more sophisticated, keep your software and your personal knowledge of crypto scams updated.

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 58 Followers
About the Author: Rachel McIntosh
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.
  • 1509 Articles
  • 58 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}