As a security researcher, I occasionally get some interesting goodies in my old AOL inbox. This morning I received a couple of phishing scam emails purporting to be from “Norton Symantec.” The fraudulent emails claimed, in part:
"Your e-mail address was successfully upgraded with the latest Norton Antivirus update. In order to ensure your account remains active and protected to continue sending and receiving new messages, you will be required to immediately sign in again."
If a recipient of this phishing e-mail fell for the scam and clicked on the link, he or she would be taken to a page that looks like this:
Hmmm, this email claims to be from Norton, but it takes me to an AOL login screen? An AOL login screen hosted on what appears to be a hacked domain instead of at at aol.com? On an unencrypted connection instead of over HTTPS? This seems more than a little suspicious.
And what exactly does it mean for an “e-mail address [to be] upgraded with the latest [antivirus] update” anyway?
Another thing that may draw suspicion from savvy AOL users is that AOL has a partnership with McAfee, not Norton.
I have to wonder whether every recipient of these phishing emails is being redirected to a fake AOL login page. Could it be that the fake AOL link is only being sent those who received the scam email at an @aol.com address?
Out of curiosity, I browsed to the parent directory on the hacked domain hosting the fake AOL login. Here’s what I found:
Aha! There’s another directory named Norton. Let’s see what it contains:
Now that’s closer to what I had expected to see in the first place from an email claiming to be from Norton.
Both forms – the fake AOL login and the fake Norton login – appear to collect a victim’s email address and password via a PHP script and then redirect the user to AOL or Norton’s homepage.
If you have fallen for this scam, be sure to change your email password immediately. If you use the same password across multiple sites, be sure to change your password at all other sites as well.