A fake Norton invoice
(but a very real phishing attempt)

The creativity of Internet fraudsters provides us with ever-changing examples of potentially dangerous attempts to defraud you of your hard-earned cash. With a minimum of observation, while keeping your cool, the large majority of these attempts can be unmasked as wild shots-in-the-dark by not-so-clever, not-so-bright would-be fraudsters, hackers and thiefs.

For example, today I received an e-mail with the following text:

From: Chang Angeline <leahousentid6@gmail.com>
Subject: Invoice Update: Order YC-NFRXC-50236

Dear customer,

We are pleased to confirm the receipt of your order (UZDNRUYOF857TA). Your subscription has been automatically renewed for uninterrupted service. Details are provided in the attached PDF.

The Purchase ID is NK1-38515/22.
Your client ID is 537963605.

Warm regards,
Customer Support Group

Already in this message we see several reasons for not trusting any of the contents:

  • Who is Angeline Chang? Never heard the name before.
  • From which company? None is mentioned in the e-mail.
  • Why is "Angeline Chang" sending apparent company mail from a private Gmail address? Easy, this is because any fraudster can get such an address for free in seconds.
  • What order YC-NFRXC-50236? I placed no order anywhere with this number. And why does the order number suddely become UZDNRUYOF857TA in the text of the e-mail? Because both order numbers are imaginary, simply typed by randomly hitting a few keyboard keys.
  • What purchase ID? What client ID? Again, more random imaginary numbers.
  • What customer support group? Again, no identifiable information. Why? Because leaving out any identifiable information helps the message to pass through the spam filters.
Fake invoice
Image of PDF invoice.

Note that the PDF contains a barely visible watermark at the bottom right of the image, probably unnoticed by the fraudsters in their hurry to get the job done. Let's do some simple image enhancement:

Fake invoice
Enhanced watermark.

"Converted to HTML with WordToHTML.net" is easily read. https://WordToHTML.net is a free online service to (among other things) convert a variety of documents to the binary format used by e-mail attachment. It is therefore an ideal resource to help low-budget hackers in their not-so-clever fraud attempts. BUT they did not realize that this free service comes at a price, in the form of an unobtrusive but still detectable watermark.

And the source code of the e-mail, which contains some further information of interest. I will not discuss it here, but you can peruse it if you are technically oriented (it does contain further giveaways). Of course I blanked out some of my personal information in this listing and the above images.

Delivered-To: XXXXXXXX@gmail.com
Received: by 2002:a05:6a11:7a1:b0:530:4f8b:3589 with SMTP id nt33csp351535pxb;
Thu, 22 Feb 2024 06:17:17 -0800 (PST)
X-Received: by 2002:a05:6512:e99:b0:512:bdd3:150d with SMTP id bi25-20020a0565120e9900b00512bdd3150dmr8039049lfb.52.1708611436706;
Thu, 22 Feb 2024 06:17:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1708611436; cv=none;
d=google.com; s=arc-20160816;
b=js260wXByIPeBDTWb5FNU7I9PO7peMjG53lT1Qu5HTSpswB954QVXaGd/QGGgLk9Rp
PGwvJayzBfHk8Q3i7gWYFYZfhqFL6yXLNv4C+Twy3FmMTrb0nMgSiSV8tL3JB4IWiIO6
5bagXLXL36cDePhX183zF80fnES1rj9weyuoyzwAonBXvQY26/lNYjxGCRPFCOXaYxZ/
8fQvN+dUGUYmat4P4dsp9KCTzl7cYCFZUiq1/VRNuN3xOonYJqDz4sIuCdZKubOqceXb
7enHO+pcTWsRxhOxe1hNBSUdhAdrzv1E0lDgRV4Fn0Vw/EYKPFKf7McXNyVR5TA60pIa
DXeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:mime-version:importance:from
:dkim-signature;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
fh=yXFbyrpXSIf/QsE81cvTU1wdR0Hw6cxZntGnvHy1bgA=;
b=Vqicx0h/QjougoWmeWZeIIhbHsjmUdS+efaW3xC4bkck9EC4h30BKZnpBLJJbls/8T
++RrXOmWXwohEpWrXopxigbmaCdShAuZmCCcmYPrLpPAWUAqwH1tlZaIWU1B5RzpZ/rG
/rCBzHG28nd270G0a9NrKfw2n3V1/QCebAEH/g+y8u954Ptq6lLTknxkJH0KNjBxTpBX
7tovWdTgUT324u036CV1oeZQ8tEAEgdWL+NmchWMDVIcrRcJ3X8H6n2yJsxT6NMjzuSt
jbbwWRHiWIYw1JcX9vXIIf9cqUV1bZUfYKOFs4fNUDQhcySeVddiv02VKRow4swDVsIg
ktGw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=V3zSjsiF;
spf=pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=leahousentid6@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <leahousentid6@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id y15-20020a19914f000000b00512cca8fa9asor1323050lfj.8.2024.02.22.06.17.16
for <esava1953@gmail.com>
(Google Transport Security);
Thu, 22 Feb 2024 06:17:16 -0800 (PST)
Received-SPF: pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=V3zSjsiF;
spf=pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=leahousentid6@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1708611436; x=1709216236; dara=google.com;
h=to:subject:message-id:date:mime-version:importance:from:from:to:cc
:subject:date:message-id:reply-to;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
b=V3zSjsiF8WrXdpbybsi21vtq3X6acOm88dvaZvui+VFYR/8ObPTIB6C7Y7zf2PGCPp
fKVg1hjyL3bD1u0pxS3olPj32tFIrRC8x/9FkE4DYJfDhjFJsZH9AxJ1WnoGEdQ7AyR5
kc69wte5CLHsRdwRPZltnLhwDPi3NDY4lOioxXfNIIEcIa0n5er4XPDjqk+D4d/rbXCF
dIjKL/m0+jx6Ca4KvBZWJEc1V6XHQSFmtJJV2ZD1+gNUPP/wtfCgxf1+6o2uG/Bauvia
/F6X4V+EYt2uUlLj3GDzEUHso7OBvBNGRA5U9jrvmG0i2zZ/xH9/Yc3y3F/aRApsh1/K
/aJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708611436; x=1709216236;
h=to:subject:message-id:date:mime-version:importance:from
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
b=qxlhOOm/SjbyoC5Vmly/RHVQxLyXPW3weqaBluBJNLYKVu0NBXByfiGnHfa2xWP4Q8
3RSupfWeE6QNCMwbv2lmsjRXBrVYMHSuYbEdt3ucQeyiMmahFYLtX79/K1FDeGJ4Bm+Z
YohUQhXT5WqOkkfBDKXsUJ5TT6saamjHOnkVQvd7t/QETlJiD4CH1YcsKH47XY6p+MGB
Qu8JxSneXqF7B43VOPD6qWjO3vOCC15+a8b/ThmoHkbjAHWk8V6K0NCYBobjXZQuuLiV
4PCHhCOVzUF1KijlknnY8k5JfhgTzVxb1R34JDGk/kJGJ3juo9ObvE3mIiyqqAhqAJAo
xpsA==
X-Gm-Message-State: AOJu0Yyj6FaAAQEKBO3aQ41YPgDr9fCMRZOoJCoUJN2k9BJuz93D5M0b
0wVD+ih0DXRwg1GTxNm7eO2u7AZNZ/Grfcyp5Zu+MBlaB95V3UprvsbFjATtgIkfDE3cBBj0Dxp
uW3O4UzDtdODcnA90TUo4kXX4dGSpFAYZU+N2Rg==
X-Google-Smtp-Source: AGHT+IGw2kdHPv42G0Qh6AUs+VPjBqT6tm5gLhOG8Gaok5UBHiwaVkIAzztUBBhFhuotBElKaTVhQiA6b9cGqIi0FrU=
X-Received: by 2002:a05:6512:3445:b0:512:a885:c377 with SMTP id
j5-20020a056512344500b00512a885c377mr8206407lfr.60.1708611435682; Thu, 22 Feb
2024 06:17:15 -0800 (PST)
Received: from 527389738259 named unknown by gmailapi.google.com with
HTTPREST; Thu, 22 Feb 2024 06:17:14 -0800
From: Chang Angeline <leahousentid6@gmail.com>
X-MyCustomHeader: 7e867821-d99e-432d-9f93-f88d7831708f
X-Priority: 1
Importance: high
MIME-Version: 1.0
Date: Thu, 22 Feb 2024 06:17:14 -0800
Message-ID: <CAD36Rtw7hnypH2Stp-K4De8-fxTw=N--WpPDBfPauK7a1BLpGQ@mail.gmail.com>
Subject: Invoice Update: Order YC-NFRXC-50236
To: XXXXXXXX@gmail.com
Content-Type: multipart/mixed; boundary="000000000000af017d0611f919fe"

The rest of the message source contains as an attachment the PDF file seen above, which in turn only contains an image of the invoice (no renderable text, to make it more difficult for automated spam filters to identify this message as such).

A simple Google search brings us to the Norton LifeLock support web site, which has an entire section dedicated to scams involving fake Norton invoices. I am taking the liberty of copying a small part of their page below, which among other things contains a remarkably similar fake invoice:

Fake invoice
Image of PDF invoice.

The Norton web page says it all already. No one is charging you hundreds of US $ for a purchase you did not make. No one will be able to draw any money from your bank account unless you actively allow it. Simply ignore this fake invoice, block the sender of these e-mails, report the sender to Gmail (you only need a couple of mouse clicks on the Gmail web site, no complicated and time-consuming typing of any data), and get a good night's sleep.

I reported the message to Gmail, just to avoid some less technically savvy destinatary of the same e-mail from becoming unnecessarily worried, and within minutes Google moved it to the spam folder of anybody who received it. Google also deleted the e-mail account of the sender of this spam.

The only risk to your money comes if you contact the sender of this (or similar) e-mail in order to clear up the "misunderstanding". Likely they will ask you plenty of personal details in order to "refund the transaction", and should you be so naive as to give them your bank account and/or credit card details (which they do not have but they need in order to steal your money), then they may be able to attempt a withdrawal from your account or to use your credit card details for an online fraud, e.g. using it to pay a mail order or online service. They can succeed only if you voluntarily give them the information they need, not otherwise.