Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

Onslaught of fake Microsoft patch spam

Date:06.30.2008

Threat Type: Malicious Web Site / Malicious code

Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update.

The intercepted emails typically look like the following:

The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor.

Here is what the redirect looks like inside the spam messages: hXXp://shopping.***.com/go.nhn?url=hXXp%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E<removed>%2Enet

An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems.

We have detected email lures containing links to this site spreading rapidly through our Websense Hosted Email Security and Websense Email Security products.

It is important to add that Microsoft never sends security update notifications through emails.

Websense Messaging and Websense Web Security customers are protected against this attack.