Norton/PayPal/Xero Renewal Scam
1 July 2022
Target receives an email from Xero where the email is actually from Xero!
The invoice is for a Norton 360 "renewal"
There is an option to "View Invoice" which takes you to a genuine Xero invoice on the Xero website
Viewing the invoice gives you no direct ability to pay
Viewing the PDF version also gives you no ability to pay and this is where things start to look dodgy
Choosing the Save to Xero option will add the invoice to your accounts payable if you are using Xero
There is still no option to pay so you have to call the number included in the email
Calling the 1800 number puts you in contact with the scammer
The scammer will invite you to give them access to your computer without telling you they will have access to your computer
Nek minnit, they have stolen money from your bank account
It starts with an email from Xero
The scary thing here is that the email is actually from Xero, it's not a fake email
This is the first time we have seen this
The scammers have clearly signed up with Xero to perpetrate this scam
The email is clever
The email is actually from Xero which lends itself to the credibility of the email
The scammer has signed up with Xero to perpetrate this scam
The sender email address is exactly what it looks like when we send out an invoice from Xero
from Paypal_Invoice is not so clever of course
The email was received late yesterday, ie June 30 with a due date of June 30 so there is a sense of urgency
There is a statement that the amount has already been deducted from your bank account which increases the sense of urgency
The price seems a tad excessive which generates a There's no way I am paying that! type of thought process
They have a customer care department although it's clear if that is Norton. PayPal or Xero!
The sign-off is just plain dumb of course Paypal_Invoice is not in the slightest bit convincing
So, there are obvious weaknesses but overall is one of gthe better scam emails we have seen
We don't include the invoice link when we send invoices from Xero, no-one should ever click a link within an email
The View Invoice link takes to a genuine Xero web page which displays the invoice created by the scammer!
Note the genuine Xero web address
The Questions or comments link takes you to a genuine Xero message page which will send your message to the scammer
Again, note the genuine Xero web page address
However the message will go from you to the scammer
The scary element of this particular scam is that you can click the Xero button which will add the invoice to your Accounts Payable if you are running Xero like we do here at Lincoln Computer Centre
Everything on this page is genuine Xero, you can either login or create a login
All of this is designed to convince you the invoice is genuine
However, no matter what you do, you will not find payment details because that is not the purpose of this scam
The purpose of this scam is to gain access to your computer (or phone) let's see how they do that
So you call the number included with the email
You have to do this if you want to pay the account because there is no other way to pay
You have to do this to request a refund or to cancel the invoice
So you call the number
The scammer answered my call and their name/company was indistinct, mainly because it sounded like he was calling from a chicken coop
He asked me what he could do to help me and I explained that I had received the email invoice
He asked my whether I wanted to continue with the internet security or cancel
This is clever because I am choosing, he has not barrelled me into anything, it's a perfectly reasonable question
I said I did not wish to renew the service
He then asked me if I was at my computer to which I answered "yes"
Gaining access to my computer
He then asked me to browse to anydesk.com he did not say why
Anydesk is a remote access software package used by legitimate remote access support people as well as scammers
Anydesk is irresponsible in the sense that there are no warnings on their web page as to the consequences of using their software
So, I browse to anydesk.com
The scammer asks me if I can see the Download Now button and asks me to click on it
The software downloads to your computer, you are prompted to save and then run the file
Which is all good except that you are being directed by a scammer!
So run the software which brings up a relatively innocuous looking screen...
This is where it gets nasty
Note that the padlock symbol implies a level of security where it offers anything but a level of security in the hands of a scammer
The scammer will then ask you for the "Cancellation Number" at the top of you screen
There is no warning on this page with regard to the BIG RED NUMBER
I have previously alerted Anydesk to the lack of appropriate warnings on this page and they could not have cared less!
There should be a warning along the lines of Giving this number to anyone will allow them to access your computer remotely
But there is no warning, so any scammer can pretend the number is a confirmation code, a cancellation code or a prize code
And if you think that's bad, checkout the Padlock dialogue box!
This is simply a disgrace and Anydesk does not give a rats
The scammer asked me to click on the padlock symbol which brings up the following dialogue box
The scammer asked me to add a password to "improve security"
He gave me the password to type in which is clever because he was not asking me for a password
The default setting of the Permission Profile is tantamount to criminal negligence
Unattended Access allows the scammer to log back in tour computer at any time it is switched on, whether you are present or not
The phrase Unattended Access is grayed-out which is appalling, you would hardly notice it is there
And worst of all, there is, again, no warning as to the consequences of allowing Unattended Access to your computer
So, what happens next?
I don't know for this phone call because I then used some very rude words to express my view about what he was attempting to do
To his credit, he gave as good as he got and I had to hang up on the scammer for a change!
Keeping in mind the notion of a refund plus a cancellation number the next step is insidious
What the scammer would have liked me to do!
You are asked to log into your bank account
Because you are not aware they are remotely accessing your computer, it seems like a reasonable suggestion
You will then check your bank account for the payment which they will insert without you even noticing
They will then process a Refund where again they will insert a page which is an edited version of you internet banking page
The page you see will show that they accidentally refunded you (say) $5000 instead of $500
They will apologise profusely and ask you to transfer it back
Note that the amount of overpayment will be closely matched to the balance of your bank account which they can see!
You can see they overpaid you so you transfer the balance back to their nominated bank account
OSKO will then make sure the scammer steals your money in the blink of an eye
It's like OSKO and Anydesk are in on these scams, they certainly do nothing to prevent them!
It's not Telstra
It's not your bank
It's not the NBN
It's not Amazon
It's not Microsoft
It's not Norton
and it's not Xero (even if it actually is!)
Call someone you know personally
Contact us at Lincoln Computer Centre for more information regarding defending yourself from scams, or recovering from a scam