Spoofed Microsoft Outlook Critical Update spammed in email
As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.
In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links. Even the wording appears to be legitimate. The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".
Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically. As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.
Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link). However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.
Trend Labs - “Critical Update” Leads to Critical Info Theft
http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZBOT%2EBTS&VSect=T
Spoofed “Critical Update” appears to originate from Microsoft
http://www.trendmicro.com/vinfo/images/blog/062209_fig1.gif
QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”
A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.
Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.