Not to be confused with our alert last Thursday, spammers seem ready to pounce on the press attention towards the recent out-of-band release of MS10-002 to scare users into downloading fake updates via email. We have been seeing messages pushing a Microsoft update via a link. The messages spoof the From: address which shows as Microsoft Office, and in an effort to further legitimize these messages and broaden their attack targets, the messages also contain Italian and French translations. The content in the messages actually refers to MS10-001, and the second paragraph of the message is a direct scrape from the executive summary for that bulletin. The URL in the spam messages leads to a file called "update2010.scr" which currently has low detection rates.
Screenshot of spam message:
The site hosting these fake updates is located in the Netherlands, and we have also seen that it's hosting the same file, under a different extension, called "update2010.exe". The icon of the file, once downloaded, is also believable:
Remember that Microsoft won't ever send messages for Windows updates, so please don't download and run this file. This probably won't be the only lure of this kind, so be diligent and remember not to click on links from unsolicited emails.
Websense® Messaging and Websense Web Security customers are protected against this attack.
Security Researcher: Chris Astacio