June 28th, 2007
Fake Microsoft security bulletin in the wild
If you (or someone you know) receives an e-mail about a zero-day exploit affecting Microsoft Outlook do not, under any circumstances, click on the links embedded in the message. It’s a phishing scam folks. The Security Bulletin (MS07-0065) it points to doesn’t exist. And just because it can never be said too often, I’ll say it again here. Microsoft does not alert users to security issues via e-mail. Ever. That’s what Windows Update is for. Details from Sophos are available here.
In the closing paragraphs of their announcement, Sophos describes why this vector has become so popular for phishers and hackers – people have learned that patching their systems against exploits is part of their “job” in keeping their systems running properly but haven’t yet completely grasped the potential vulnerability that awareness creates if they allow themselves to be duped into reacting to messages like this.
“Security bulletins from Microsoft describing vulnerabilities in their software are a common occurence, and so its not a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs,” said Graham Cluley, senior technology consultant for Sophos. “The irony is that as awareness of computer security issues has risen, and the need for patching against vulnerabilities, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public.”
In examples seen by Sophos experts, the emails have contained the recipient’s full name, and the company they work for, in an attempt to lull user’s into a false sense of security.
“By using people’s real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap,” continued Cluley. “Users need to be on their guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions. They should also ensure that they are downloading Microsoft security updates from Microsoft itself, not from any other website.”
Update: Well, a number of commenters have corrected me on my statement that Microsoft does not provide security alerts via e-mail. Apparently they do – on an opt-in subscription basis. And, apparently, the e-mails are PGP-signed (although, as the person who informed me of this pointed out, the vast majority of people don’t have PGP installed). My best advice to those of you who prefer to be safe rather than sorry is to use Windows Update to check for any security (or performance-related) updates.
Marc Orchant has been building, testing, and sometimes breaking hardware and software for 25 years. See his full profile and disclosure of his industry affiliations.
| 06/28/07
