Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Spoofed Microsoft Outlook Critical Update spammed in email

Email As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.

 

In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links.   Even the wording appears to be legitimate.  The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".

 

Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically.  As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.

 

Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link).  However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.

 

Trend Labs - “Critical Update” Leads to Critical Info Theft

http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZBOT%2EBTS&VSect=T

 

Spoofed “Critical Update” appears to originate from Microsoft

http://www.trendmicro.com/vinfo/images/blog/062209_fig1.gif

 

QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”

 

A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

 

Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.

 

How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.

Comments

SARGE said:

Useful info.

with regards to

"best practice of hovering over email links would reveal a different one than shown in the document."

i noticed the real microsoft link begins:

"http://update.microsoft.com"

however in this instance they've snuck in "llik1i" after the word microsoft. (as per below)

"http://update.microsoft.llik1i.com"

i'm guessing they chose l's 1's and i's as they are the thinest characters on a keyboard

may they die horribly.

# June 23, 2009 10:23 AM

Filo Hirota said:

Good that I found this page. Otherwise,there is not way to know that the mail was spoofed. Is there anyway that Microsoft could alert its users of this kind of danger?

# June 24, 2009 7:31 AM

Richard South said:

Thanks, that email is arriving with current (25/06/09) date.

Your infor has allowed me to issue warning with confidence to my collegues

# June 25, 2009 4:08 AM