Smells Like Phish: Symantec’s Update Norton Internet Security Email

I examined an email message that encouraged the recepient to update to the latest version of the Norton Internet Security tool. The message looked like a classic phish, complete with the “Update Now” button that pointed to a URL that had “symantec” in it: http://response.nortonfromsymantec.com/servlet/cc6?kPuHglLJQTU…

A boring old phish, you say? Well, I think this note was actually sent by Symantec. According to Whois, nortonfromsymantec.com is registered to Symantec, and the URL redirected to another Symantec domain norton.com.

Dear Symantec communications folks:

  • When communicating with customers, please don’t encourage them to download software in response to email messages. Instead, consider explaining to them how to use the auto-update functionality of the software to perform the upgrade.
  • If including links in your message, please point directly to a symantec.com domain, avoiding the use of domains similar to those that phishers might use when impersonating Symantec.

Sincerely,

Lenny Zeltser

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more