Smells Like Phish: Symantec’s Update Norton Internet Security Email

I examined an email message that encouraged the recepient to update to the latest version of the Norton Internet Security tool. The message looked like a classic phish, complete with the “Update Now” button that pointed to a URL that had “symantec” in it: http://response.nortonfromsymantec.com/servlet/cc6?kPuHglLJQTU…

A boring old phish, you say? Well, I think this note was actually sent by Symantec. According to Whois, nortonfromsymantec.com is registered to Symantec, and the URL redirected to another Symantec domain norton.com.

Dear Symantec communications folks:

  • When communicating with customers, please don’t encourage them to download software in response to email messages. Instead, consider explaining to them how to use the auto-update functionality of the software to perform the upgrade.
  • If including links in your message, please point directly to a symantec.com domain, avoiding the use of domains similar to those that phishers might use when impersonating Symantec.

Sincerely,

Lenny Zeltser

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. My expertise, which spans cybersecurity, IT, and leadership, allows me to create practical security solutions that drive business growth.

Learn more