Smells Like Phish: Symantec's Update Norton Internet Security Email

I examined an email message that encouraged the recepient to update to the latest version of the Norton Internet Security tool. The message looked like a classic phish, complete with the “Update Now” button that pointed to a URL that had “symantec” in it: http://response.**nortonfromsymantec.com**/servlet/cc6?kPuHglLJQTU…

A boring old phish, you say? Well, I think this note was actually sent by Symantec. According to Whois, nortonfromsymantec.com is registered to Symantec, and the URL redirected to another Symantec domain norton.com.

Dear Symantec communications folks:

When communicating with customers, please don’t encourage them to download software in response to email messages. Instead, consider explaining to them how to use the auto-update functionality of the software to perform the upgrade.
If including links in your message, please point directly to a symantec.com domain, avoiding the use of domains similar to those that phishers might use when impersonating Symantec.

Sincerely,

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →