In a seizure warrant application, the U.S. Secret Service sheds light on how threat actors stole $34,000 using fake antivirus renewal subscription emails.
The now-executed seizure warrant was submitted by Special Agent Jollif of the United States Secret Service (USSS) to recover funds stolen in a fake Norton subscription renewal email that led to the threat actor gaining access to a victim’s PC and bank account.
According to the court document submitted by a Special Agent of the United States Secret Service, the stolen money is stored in a Chase bank account belonging to someone named “Bingsong Zhou,” associated with phishing scams impersonating Norton Antivirus renewal subscriptions.
These phishing emails claim that the recipient is about to be charged for renewing an antivirus subscription license and to call the enclosed number to cancel it.
The victim calls the phone number listed on the email, and from there, the scammers direct them to perform various actions such as installing remote access software on their computers, infecting themselves with malware, and entering their account credentials on a phishing page.
One case highlighted in the court document mentions a victim who received a phishing email on November 28, 2023, alleging that he would be charged $349.95 for a Norton antivirus subscription unless he canceled the charge.
While the court document does not show the phishing email received in this attack, it is likely similar to the one shown below that was seen in past attacks.
After calling the scammers, the victim was tricked into giving them remote access to his laptop, supposedly needed to ensure the $349.95 was refunded to his account.
At that point, the scammer alleged that $34,000 was refunded by error, and the victim was asked to return the amount to avoid legal trouble.
The victim complied with the instruction, seeing that his checking account now had a new $34,000 deposit that he assumed originated from Norton.
In reality, the scammer had overlaid a blue screen on the monitor so the victim couldn’t see his actions and transferred $34,000 from the victim’s own Money Market (savings) account to their checking balance.
After the fraudulent activity was identified, on December 7, JP Morgan Chase restricted Zhou’s access to the funds in his accounts, and these funds were moved to a suspense account controlled by the bank.
Jollif’s application seeks to seize the $34,000 derived from Zhou’s activities, considering it potentially criminal proceeds.
Zhou now faces charges of wire fraud and involvement in a phishing scam and might also be charged with possible money laundering, bank fraud, and conspiracy to commit wire fraud.