Fake Microsoft security bulletin in the wild

Fake Microsoft security bulletin in the wild

Summary: If you (or someone you know) receives an e-mail about a zero-day exploit affecting Microsoft Outlook do not, under any circumstances, click on the links embedded in the message. It's a phishing scam folks. The Security Bulletin (MS07-0065) it points to doesn't exist. And just because it can never be said too often, I'll say it again here. Microsoft does not alert users to security issues via e-mail. Ever. That's what Windows Update is for.Details from Sophos are available here.

SHARE:
TOPICS: Microsoft, Security
9

Fake Microsoft security bulletin in the wildIf you (or someone you know) receives an e-mail about a zero-day exploit affecting Microsoft Outlook do not, under any circumstances, click on the links embedded in the message. It's a phishing scam folks. The Security Bulletin (MS07-0065) it points to doesn't exist. And just because it can never be said too often, I'll say it again here. Microsoft does not alert users to security issues via e-mail. Ever. That's what Windows Update is for. Details from Sophos are available here.

In the closing paragraphs of their announcement, Sophos describes why this vector has become so popular for phishers and hackers – people have learned that patching their systems against exploits is part of their "job" in keeping their systems running properly but haven't yet completely grasped the potential vulnerability that awareness creates if they allow themselves to be duped into reacting to messages like this.

"Security bulletins from Microsoft describing vulnerabilities in their software are a common occurence, and so its not a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs," said Graham Cluley, senior technology consultant for Sophos. "The irony is that as awareness of computer security issues has risen, and the need for patching against vulnerabilities, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public."

In examples seen by Sophos experts, the emails have contained the recipient's full name, and the company they work for, in an attempt to lull user's into a false sense of security.

"By using people's real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap," continued Cluley. "Users need to be on their guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions. They should also ensure that they are downloading Microsoft security updates from Microsoft itself, not from any other website."

Update: Well, a number of commenters have corrected me  on my statement that Microsoft does not provide security alerts via e-mail. Apparently they do – on an opt-in subscription basis. And, apparently, the e-mails are PGP-signed (although, as the person who informed me of this pointed out, the vast majority of people don't have PGP installed). My best advice to those of you who prefer to be safe rather than sorry is to use Windows Update to check for any security (or performance-related) updates.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • emailed alerts

    "Microsoft does not alert users to security issues via e-mail. Ever."

    Yes, they do send out alerts via e-mail and have for years now. I just got one tuesday about an update to patch MS07-022.
    themp
    • Um I think they announced there was an updated version

      Don't think they tell you that you need to update as MS Update takes care of that. Probably semantics. ;)
      D0gmeat
    • If you subscribe to security mailing lists...

      ...then you get updates about upcoming patches via e-mail. There are two versions of the newsletter, one for IT pros, the other for consumers. The e-mail messages contain links to the respective Microsoft Security bulletins.
      Ed Bott
  • Bro man, that is incredible. It's the C++ hackers that are doing this.

    Incredible. When will this ever stop.

    Geo
    GeoMartinez
    • C++ hackers couldn't care less

      Just to be able to find such security flaws you'd have to be able to read assembly code. I don't think any C++ hacker (who have really big wages) would waste his/her time on reading assembly.

      M.B.
      http://www.guacosoft.com
      mbabuskov
  • email alerts

    All I know is I get e-mail alerts(bulletins) about new patches that have come out. So to say that Microsoft wont send out alerts via email is not correct.
    themp
    • Yes, MS does send alerts

      Something to note about MS email alerts is that they're send by subscription (which is likely that you have subscribed if an attacker has your name and company and presumably things you're in a possition to install updates from an email), and that they're PGP signed (but how many people have PGP installed, and check the signature before clickin on the link?).
      me@...
  • Writing style is terrible

    You'd think that the people behind this would at least try to have a professional writing style that matches Microsoft's real security bulletins. Typos and spelling "MICROSOFT OUTLOOK" in caps just screams fake. (Unfortunately it's still convincing enough for novice users...)
    PB_z
    • Even worse wording...

      "Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as Viagra and Cialis."

      Ummm, "spammy?" and "pharmacy?" That doesn't sound like it would be MS wording at all.

      (One of my co-workers got this.)

      But the big deal here is where did they get the information in the email from, namely our company and even his email address (he reportedly doesn't get spam at this address.) It also listed a license key (we didn't bother checking for a match).

      Dan
      Dan__