Scammers Are Tricking People With Fake Software Renewal Notifications

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

There’s an ongoing scamming campaign involving fake software subscription renewal notifications. According to Malwarebytes researchers who have been following the campaign closely, this theme is used for the last couple of months. Unfortunately, a significant portion of the recipients of these fake notifications are getting tricked.

The actors are sending an invoice for a popular software product, supposedly charging the recipient an absurd amount for a renewal of the subscription. The notification includes a “customer help desk” number, which the scammers hope that the victim will use in order to dispute the “auto-renewal.” In an example using Malwarebytes Security 4.0, the scammers present victims with a charge of $349.99.

Source: Malwarebytes

If the victim calls, the scammers pretend that a technician will have to access their computer to ensure that the software in question is uninstalled so that a refund can be granted. This is done through TeamViewer, which the victim is convinced to install for the crooks. If that happens, the scammers will simply proceed by installing more remote access tools like SupRemo.

Source: Malwarebytes

What the scammers do from then on is to write more notices and warnings on notepad, lock up the machine by using the SysKey utility, and generally ensure that the victim is constantly met with bogus alerts about fabricated threats and problems. All of that is done to convince the victims to pay them more money to supposedly clean the system, or uninstall the threats, or whatever. As long as the victim pays, the scamming continues.

Source: Malwarebytes

Malwarebytes was able to dig deeper to figure out who these scammers are and managed to identify the registrant of a malicious domain used for dropping the RAT tool, named Aman Deep Singh Sethi. Also, an associate named Swinder Singh was identified through a phone number, and eventually, a New Delhi-based company called 'Lucro Soft Pvt' was unearthed.

Source: Malwarebytes

The researchers figured that the scammers had been active since at least 2015, while Lucro Soft was established in 2018, possibly to help them justify the income somehow. The identified infrastructure was mapped and is now actively blocked by Malwarebytes and all the security solutions that are receiving their indicators of compromise reports. The scheme has been uncovered, and the actors’ were exposed, so normally, they will stop all activity now.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: