Is it a Norton or an AOL phishing scam?

Filed Under: Featured, Phishing, Spam

As a security researcher, I occasionally get some interesting goodies in my old AOL inbox. This morning I received a couple of phishing scam emails purporting to be from "Norton Symantec." The fraudulent emails claimed, in part:

"Your e-mail address was successfully upgraded with the latest Norton Antivirus update. In order to ensure your account remains active and protected to continue sending and receiving new messages, you will be required to immediately sign in again."

Norton email or phishing attack?

If a recipient of this phishing e-mail fell for the scam and clicked on the link, he or she would be taken to a page that looks like this:

Fake AOL login screen

Hmmm, this email claims to be from Norton, but it takes me to an AOL login screen? An AOL login screen hosted on what appears to be a hacked domain instead of at at aol.com? On an unencrypted connection instead of over HTTPS? This seems more than a little suspicious.

And what exactly does it mean for an "e-mail address [to be] upgraded with the latest [antivirus] update" anyway?

Another thing that may draw suspicion from savvy AOL users is that AOL has a partnership with McAfee, not Norton.

I have to wonder whether every recipient of these phishing emails is being redirected to a fake AOL login page. Could it be that the fake AOL link is only being sent those who received the scam email at an @aol.com address?

Out of curiosity, I browsed to the parent directory on the hacked domain hosting the fake AOL login. Here's what I found:

Parent directory

Aha! There's another directory named Norton. Let's see what it contains:

Fake Norton webpage

Now that's closer to what I had expected to see in the first place from an email claiming to be from Norton.

Both forms - the fake AOL login and the fake Norton login - appear to collect a victim's email address and password via a PHP script and then redirect the user to AOL or Norton's homepage.

If you have fallen for this scam, be sure to change your email password immediately. If you use the same password across multiple sites, be sure to change your password at all other sites as well.

, , , ,

You might like

4 Responses to Is it a Norton or an AOL phishing scam?

  1. Michelle · 850 days ago

    Is there somewhere else we can send spam to, that will get it onto "the list". I send it to spam@uce.gov, but is there somewhere else I should also send it. I get 20 a day, and it seems that a lot of it is repeat offenders. For whatever reason, my work address is inundated with Nigerian money scams trying to transfer money from their rich uncle who has died.... Yeah! What else can be done to stop them besides out SPAM stop, and reporting them to the FTC?

    • solenoid25 · 850 days ago

      Re: What else can be done to stop them

      This solution may not be helpful for your work address, but I'll share my story. Your results may vary.

      Our company moved to Gmail for email domain hosting services with Google Apps for Business a while ago. Although we barely take advantage of the Apps part of the deal, the email service is solid. We noticed a drastic drop in spam.

      One consultant explained it to us as: Gmail handles so many millions of emails per hour/minute or such that when it notices grand patterns of thousands of emails all saying the same thing, it recognizes that and marks it as spam. To us (a small company), that benefit alone justifies the email hosting cost per user per year. We saved time, and get on with work.

      • Jeffrey DuBrul · 849 days ago

        Nice job... joshmeister!!!

        Jeffrey "Mr Fixit" DuBrul
        BIT (Bay Information Technology)

    • Brady · 849 days ago

      I always forward the ones that do get through my filters to spamcop.net since I use their block list (as well as a few others)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog security.thejoshmeister.com, and follow him on Twitter and Google+.