Sunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the OSX.Proton malware, spreading in a concerning new method—spoofing security company Symantec’s blog.
Apparently, it's a near mirror image of Symantec's actual blog, with matching pop-ups that can fool users into activating the malware on their machines.
Symantec's real blog URL: https://www.symantec.com/blogs/
Fake blog URL: symantecblog[dot]com
Malwarebytes has a nice blog post on this right now and how the site functioned.
When SecureWorld checked the fake site, the ISP had taken the site offline: