Spammers release hoax Microsoft security bulletin

Sophos has warned of a 'clever' social-engineering attack which cons users into thinking they have received a genuine security alert

Security vendor Sophos has warned of the presence of spoofed Microsoft security bulletins.

Emails with the subject line "Microsoft Security Bulletin MS07-0065" were sent by spammers on Wednesday morning to thousands of companies in the US and the UK.

Once users click on a link they are taken to one of many websites hosting a malicious piece of code Sophos is calling "Mal/Behav-112".

The security company said that, although antivirus products will now have been updated, users' machines could still become compromised if the compromised websites are made to point to a zero-day exploit.

"This is clever social engineering," said Sophos' senior technology consultant Graham Cluley. "The emails are addressed to the person by name, and a spurious licence key is given to make the emails seem more trustworthy."

The latest real Microsoft security advisory is MS07-0035.