Sophos Cloud Optix
Have you received an email seemingly from Microsoft’s security team telling you to “Update your Windows”? Have you been sent a file called KB453396-ENU.zip and told to run it on your Windows computer?
Well, think twice before following the instructions.
Cybercriminals are up to their old tricks, spreading malware under the disguise of a critical security patch from Microsoft.
In the current example, they’ve spammed out an email containing a worm, which even quotes the real name of a senior member of Microsoft’s security team – Steve Lipner – to try to fool you into believing it is genuine.
The emails have a subject line of “Update your Windows” and contain the following text:
Of course, Mr Lipner has nothing to do with the emails and Microsoft never distributes security updates via email attachments. Nevertheless, there have been a series of attacks that have abused his name in the past.
With so much effort being taken by the cybercriminals to hoodwink unsuspecting computer users, though, you would have thought they would have not made an elementary mistake in their forged email header. The messages we’ve seen claim to come from no-reply@microsft.com
That’s right. “microsft”.
SophosLabs had added detection of the malware as W32/Autorun-BMF, and in addition the ZIP file is detected as Mal/BredoZp-B.
Thank you SO much for your continued efforts !! You do untold GOOD to people who are dilligent, yet unsuspecting when it comes to Microsoft !!
When scammers and spammers finaly learn to spell (or spell check), I guess we’ll all be in trouble..
@Damien, it's not just the spelling. The diction in general tends to come across as sounding like "Peggy" (the overseas customer support guy) in the credit card commercials on TV.
Just goto start and windows update there to get all you windows and Microsoft updates. I never trust anything i see in emails.
Hey Graham,
Nice work. Damien and Tim nailed it. This is forcing my hand to craft a future post on poor writing in social engineering e-mails as the first line of defense against cyber criminals.
No telling if this an English as a Second Language issue, a grammar-check and spell-check are turned off problem , or e-mailers being so tweaked on Ketamine and code that they can’t muster up a coherent thought much less a coherent sentence, but the proof is in the words.
“Please notice that the Microsoft company…”
“Please notice, that present update applies…”
“If nothing changes after you run the file, probably in the settings of the OS you have an indication to, etc. (whoosh!)
If it reads like “Peggy” from the Visa commercials, it probably is. Oh…and the .exe is another dead giveaway.
To a social re-engineering of end-users in 2011 to read, think and question before the click or download.
Cheers,
Mark
Thanks Graham, picked this story up from your twitter feed the other day! Great information as always.
Thanks
Olly
Of course, perhaps it is a somewhat "good" thing there are malevolent actors around. After all, where would our good friend Graham be if there weren't security problems? Hmmm… maybe he'd have to write some little devils just to keep us smart. Sorry, no he wouldn't. I'm sure he'd be developing all sorts of gut-busting games with no solutions. Achhh….where are the flappertanknibbles now?
I am not able to even access the Microsoft website after a number of worms/viruses.. not sure what the differences are.
These started after I started to receive pop-ups from what looked like Microsoft.
You should check your computer with an up-to-date anti-virus.
Maybe your PC was infected by a fake anti-virus that presented itself as though it were Microsoft. Possibly some malware is blocking access to the real Microsoft website.
Of course, it might be something else entirely – but better to be safe than sorry.
this happened to me…I couldn't even get to sign in page.I had to to do a recovery to get past this…be careful !!