Smells Like Phish: Symantec’s Update Norton Internet Security Email

I examined an email message that encouraged the recepient to update to the latest version of the Norton Internet Security tool. The message looked like a classic phish, complete with the “Update Now” button that pointed to a URL that had “symantec” in it: http://response.nortonfromsymantec.com/servlet/cc6?kPuHglLJQTU…

A boring old phish, you say? Well, I think this note was actually sent by Symantec. According to Whois, nortonfromsymantec.com is registered to Symantec, and the URL redirected to another Symantec domain norton.com.

Dear Symantec communications folks:

  • When communicating with customers, please don’t encourage them to download software in response to email messages. Instead, consider explaining to them how to use the auto-update functionality of the software to perform the upgrade.
  • If including links in your message, please point directly to a symantec.com domain, avoiding the use of domains similar to those that phishers might use when impersonating Symantec.

Sincerely,

Lenny Zeltser

Updated

About the Author

I design practical security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.

Learn more