Malicious Mimic of the Symantec Blog Prompts Visitors to Download Malware

The password-stealing OSX.proton masquerades as the 'Symantec Malware Detector'.

A report from the California-based software company Symantec has warned of a fake website mimicking the Symantec blog. According to the warning, the malicious website mirrors the content posted on the Symantec blog and attempts to trick readers into clicking on infected pages.

The fake site is listed under the URL symantecblog[dot]com, and even has its own SSL certificate. However, according to Malware Bytes, the certificate was issued by Comodo, and not Symantec. In an attempt to prey on fear, the fake blog warns of the emergence of a new version of a piece of malware called ‘CoinThief’, which allegedly first appeared in 2014.

Join the iFX EXPO Asia and discover your gateway to the Asian Markets

Symantec’s legal team is attempting to bring an end to the scam, and has updated Norton and Symantec products to detect the OSX.proton malware.

Skillfully Crafted: the Malware Appears Legitimate, Requires Authorisation

The infected pages offer their visitors a link to a free download of the ‘Symantec Malware Detector’, a fake piece of security software that, according to Symantec, “claims to detect and remove infections caused by a new variant of the CoinThief malware.” The link will begin the download of OSX.proton, a piece of malware that steals valuable information (i.e. passwords) through a ‘back door’ in the infected computer and may also download additional malicious files.

When run, the Proton malware appears legitimate; it even uses the Symantec logo. The malware prompts users to agree to a check, saying that their authorisation will send a “non-identifying” report to Symantec Inc. to “improve the heuristic engine.”

Suggested articles

HotForex extends partnership with Paris Saint-GermainGo to article >>

If authorisation is not provided, the malware will not be installed. However, it is unlikely that anyone who downloaded the malware thinking that it was a legitimate piece of security software would not provide authorisation at this point.

Twitter Accounts Share the Fake Website

Malware Bytes has also warned that links to the fake blog are being spread on Twitter by both fake and legitimate-seeming accounts. Some of the legitimate-seeming accounts could have been hijacked using information stolen by the Proton malware; others could be well-intended Twitter users who have been tricked into thinking that the fake Symantec Malware Detector is really protecting them.

While this particular piece of malware is not specifically designed to gather information regarding cryptocurrency, the warning against the alleged CoinThief software seems to indicate that crypto users are of special interest to the malware’s creators. As cryptocurrency scams are becoming more popular and more sophisticated, keep your software and your personal knowledge of crypto scams updated.



Got a news tip? Let Us Know