Gen Archives

October Consumer Cyber Safety Pulse Report – From Norton Labs

What you need to know about “FUD” and the No. 1 scam. Plus, new insights on gaming, banking, gift-cards, vax passports, phishing, and an attack on the Catholic Church
Norton Labs
Global Innovation & Research
October 19, 2021
Read time
13 Minutes
October Consumer Cyber Safety Pulse Report – From Norton Labs
Written by
Norton Labs
Global Innovation & Research
October 19, 2021
Read time
13 Minutes
October Consumer Cyber Safety Pulse Report – From Norton Labs
In this article
    Share this article

    You probably know that COVID-19-era scams follow the news — from phony promises of financial assistance to fake access to vaccines. But you might not know that one scam has been more enduring than any other.

    The winner: tech support scams, which have surged to the No. 1 in the list of scam threats that we see in the wild today.

    Tech-support scams often arrive as a pop-up. They’re designed to trick you into believing you face a dire cybersecurity threat. Example: “Your PC is at risk!” And they seek to steal your personal information, tap your bank account, or install dangerous software on your device.

    It’s worth noting that scammers fraudulently use the names and branding of major technology companies, including NortonLifeLock, to try to trick and defraud consumers.

    Here are two reasons tech-support scams have proliferated in the COVID-19 era.

    1. Your increased reliance on computers, smartphones, and tablets to juggle hybrid work schedules and family activities.
    2. They work.

    These attacks rely on FUD — fear, uncertainty, and doubt. They often try to scare you into believing that something is wrong and get you to call a number to fix it. Once they make contact, they can use a variety of techniques to compel you to make decisions that are not in your best interest. That can range from installing software that gives them control of your PC to forking over your credit card number so they can bill you for their “services.”

    What happened:  Tech support scams topped our list of scam threats for 13 consecutive weeks, from July 1 through Sept. 30. Prediction: Expect strong momentum into the holiday season.

    Advice for consumers: Your best defense against tech-support scams is awareness. If in doubt, never call a number based on a pop-up or warning. Instead, reach out to the company directly through their official website and explain what happened.

    What’s ahead: In the next three months, we expect threats to your Cyber Safety to include a seasonal shift (think: holidays) — and tech-support scams. Some scams to watch out for during the holidays can include.

    • Tech-support scams.
    • Shopping scams.
    • Charity scams.

    Cyber Safety threats by the numbers 

    NortonLifeLock technology blocks more than 9 million threats on an average day. Here’s a closer look at the numbers for July through September.

    Spotlight: 6 threats we detected and probed — and tips for your Cyber Safety

    Norton Labs gathers more than just data. The team also digs deep to identify emerging threats that impact you in often-unexpected ways. That can range from your gaming habits to your religious beliefs.

    Here’s what caught our attention this quarter.

    Spotlight #1. Gaming: How and why scammers want to steal your “Party Hat”

    Virtual goods have real value. That’s one reason why scammers target gamers. Here’s how.

    Background: The massively multiplayer online role-playing game (MMORPG) RuneScape celebrated its 20th anniversary this year. It had much to celebrate. It is recognized as the largest free game in this category with more than 200 million accounts created, according to Guinness World Records.

    Publisher Jagex has enjoyed financial success thanks to micro-transactions in RuneScape. The game has exceeded $1 billion in lifetime revenue.

    Rare in-game items are highly sought after and are traded on real-world marketplaces. A blue “Party Hat” is considered the most valuable item in the game. As of December 2020, it was valued at approximately $6,700.

    Not surprisingly, scammers might find a hat like that — and other virtual items — worth stealing.

    How it works: Norton Labs caught a new phishing campaign targeting RuneScape players to steal their login credentials.

    It’s worth noting that after previous waves of attacks, Jagex introduced additional security measures, including two-factor authentication (2FA).

    Scammers’ countermove? This latest RuneScape phish was specifically designed to also steal 2FA codes and therefore circumvent the controls of the login process.

    Cybercriminals have been following the gaming industry’s trend to give perceived financial value to in-game items,” says Armin Buescher, Technical Director at Norton Labs. “They are persistently targeting gamers to steal and monetize their prized virtual possessions."

    Advice for consumers: Don’t trust links from unexpected emails or text messages.  When in doubt, go directly to the login page of a service by typing it in or using a reputable search engine.

    Spotlight #2. Banking: It looks like Citibank. It’s not.

    Online banking can be quick and convenient. But if you log in to a scam website designed to look like your bank’s real website, you could have a lot to lose.

    Background: Norton Labs researchers noticed a phishing campaign that targeted customers of Citibank with a website set up by the attackers as a near carbon copy of the real banking homepage.

    How it works: The fraudulent homepage was hosted on a domain using an “internationalized domain name” that used unicode characters to resemble the legitimate Citibank domain “” But with a twist.

    The domain name registered by the attackers in so-called punycode was “” Browsers convert that for display in the address bar as “cítí.com”.

    Punycode phishing domains are not a new phenomenon,” says Armin Buescher, Technical Director at Norton Labs. “But even years after the introduction of internationalized domain names, cybercriminals still find combinations of characters that are deceivingly close to high-profile targets like major banks."

    Advice for consumers: Your bank will not send you texts or messages asking you to log in with your credentials. Always go directly to their official site when you need to login to your bank. Or use their official customer support phone number on the back of your card to get in touch with them.

    Spotlight #3. How attackers cash out on stolen gift cards

    Gift cards can be popular, including among people who feel hungry. At Norton Labs, we found a network of attackers selling stolen gift cards after they drained some money from our pizza gift card.

    We take our pizza very seriously, so we were motivated. We figured out how they snatched our funds and reported our findings to the gift-card vendor. There are lessons here that apply to other types of gift cards, too, even if you’re not hungry.

    Background: Gift cards are a perfect target for attackers. That’s because they usually have lower security than credit cards, they aren’t tied to a specific person’s name, and they are almost as good as cash. An attacker can take those ill-gotten gains to the store or resell the gift card at a discount.

    How it works: We found that many gift cards are made by the same company. The cards all have a 19-digit number and 4-digit PIN. The company also provides a website to check the gift cards’ balance. That can be a problem because it can allow an attacker to check if a card number and PIN combination is valid.

    We found that attackers were using the website to guess card-number-and-PIN, trying over-and-over until they found working combinations, and then reselling those gift cards online. What’s more, the website had weak security, so it was easy for attackers to try millions of combinations until they found the few that worked.

    Another insight: The 19-digit card numbers were not random. Instead, they had a specific structure, making it easier for attackers to find working combinations.

    Advice for consumers: Always check the value of your gift cards after you buy them. Make sure the gift cards aren’t activated until you buy them. If possible, check if a gift card has a long PIN, because four digits is far too short.

    Learn more: Check out the blog.

    Spotlight #4. COVID-19: Everything you wanted to know about vaccine passports 

    Vaccine passports might sound like a good idea. But privacy and fraud are two concerns, as populations seek COVID-19 safety.

    Norton Labs surveyed vaccine passport programs around the world. The goal: to better understand what they are, how they work, and the risks and benefits associated with them.

    Through three case studies, examining digital vaccine passports in Denmark, Israel, and New York, here are some of the lessons we learned.

    Background: Vaccine passports — also called digital vaccination certificates — are digital proof a person was vaccinated against COVID-19. Vaccine passports have been controversial since their introduction, raising questions about privacy, security, and ethics in technology. The terminology has also been confusing, with people unclear about how vaccine passports work.

    How it works: Despite their name, vaccine passports aren’t traditional passports. Vaccine passports are a way to securely check whether someone has been vaccinated against COVID-19, clearing that person to engage in a higher-risk activity such as travel and spectator events in high-capacity venues.  Developers of vaccine passports imagine them as a digital version of a paper vaccination record, like the World Health Organization’s “Yellow Card.”

    Bottom line: Vaccine passports can be a helpful technology for reducing the transmission of COVID-19 across borders and in high-risk environments. But their deployment comes with at least two big risks.

    • First, a vaccine passport creates the potential for governments and private companies to invade the privacy of millions of people if the passports are not created with privacy in mind.
    • Second, if the vaccine passports are not developed in the open and without security as a key concern, they can create a false sense of security while unvaccinated people are able to forge valid-looking passports and defeat the system.

    Advice for consumers: You can learn from the deployment of this important technology in other countries and regions, and you can demand that their local deployments are transparent, secure, and, most importantly, respect privacy.

    Learn more: Check out the blog.

    Spotlight #5. Phishing: We’re gonna need a bigger boat 

    Phishing is a big business, and it’s easy to join the fleet. Phishing kits are freely available. That makes it easy for anyone with little technical knowledge to launch a phishing campaign, with the aim of stealing and selling your information.

    Background: Phishing, which has been around for more than 20 years, is still one of the most common online scams around. Phishing is a type of social engineering attack that tricks victims into providing username and password combinations, and frequently other personal information to an attacker.

    Phishers manipulate human nature and emotions, and they use email messages and phishing kits to exploit them. 

    How it works: Before sending emails to potential victims, the phisher creates a website that looks and feels nearly identical to the legitimate website. This makes it difficult for an average user to distinguish between the real site and the fake one.

    The easiest way to do this is by using a phishing kit, the web component to a phishing attack. Phishing kits require little technical skills, and they are often available to download for free.

    After a scammer configures and uploads the phishing kit, a phishing message is sent to victims. The message helps trick the victim into clicking on a link that leads to the spoofed website.

    Next, the victim enters sensitive information such as account credentials or other personal information on the website. The data is transmitted back to the phisher, who will attempt to use it for monetary gain. 

    Advice for consumers: Be aware of suspicious messages that prompt you to click on a link or open an attachment. If you are unsure about a message, go to your web browser and go directly to the organization's website.

    Learn more: Check out the blog.

    Spotlight #6. Operation Exorcist: 7 years of targeted attacks against the Roman Catholic Church 

    The Chinese government and the Catholic Church have a history of strained relationships. Now, our research shows hackers potentially operating out of China have targeted the Roman Catholic Church and the Vatican. This includes actual intrusions into Vatican computers. We examine the malware in use, which includes actual intrusions into Vatican computers.

    Background: China-based threat actors have a long history of breaking into computers globally. Their motivation has usually been information gathering and surveillance against targets of national security, economic, or strategic interest.

    Negotiations have been ongoing on various issues pertaining to the Church’s activities in China, where there are 10 million Catholics. It is our speculation that the goal of the intrusion activity may have been information gathering to be better positioned in negotiations.

    How it works: Our investigation has detailed two separate cases:

    • One, we found targeted malware in files that appear to be legitimate Vatican-related documents. The malware can infect the devices of users who access the documents.
    • Two, we identified computers located in the Vatican that had Chinese malware installed and documented the malware’s use and capabilities.

    Advice for consumers: Targeted attacks are usually associated with large organizations, but that’s not always the case. People belonging to special interest groups, dissidents, or individuals with influential jobs are also subject to targeted attacks.

    A government might not target you, but you might be vulnerable to a more common attack such as a phishing campaign or an infected webpage. It’s smart to be vigilant and learn about online risks in your quest for Cyber Safety.

    Learn more:  Check out the blog

    Looking toward 2022

    Norton Labs continues to track scams and threats targeting consumers. Expect the pandemic theme to continue, but other world and seasonal events will likely have an impact too as we approach 2022.

    Find out more when we publish our next Consumer Cyber Safety Pulse Report in January.

    Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

    Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

    Norton Labs
    Global Innovation & Research
    Norton Lab’s research on Cyber Safety influences future technology and impacts the consumer cybersecurity industry worldwide. The Labs team includes top threat and security researchers who work to protect consumers from known and new threats.
    Follow us for more