Sophos Cloud Optix
If you received an email, apparently from Microsoft, claiming to be about “Important Changes to Microsoft Services Agreement” would you trust it?
From the naked eye, after all, it looks professionally presented, has Microsoft’s funky new logo.. what could be wrong with this? (Feel free to click below for a larger version if you want to take a closer look.)
Part of the email reads as follows:
Message body:
We've updated the Microsoft Services Agreement , which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN, Office.com, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop and Windows Writer. Please read over the new Microsoft Services Agreement in the attached file to familiarise yourself with the changes we've made.
The updated agreement will take effect on 19 October, 2012. If you continue to use our services after 19th October, you agree to the terms of the new agreement or, of course you can cancel your service at any time.
We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer. We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we're designing our cloud services to be highly integrated across many Microsoft products. We realise you may have personal conversations and store personal files using our products, and we want you to know that we prioritise your privacy.
The text of the email *is* apparently genuine, as there was an actual Microsoft message – dated August 27 – that can be viewed here.
The clue which should ring your alarm bells about this latest email, however, comes in the attached file: Microsoft-Services-Agreement.pdf.exe.
To those lacking in caution (or indeed, those Windows users who haven’t told their operating system to show filenames in full) the attached file might appear to be an Adobe PDF document rather than an executable file.
But sure enough, it is an EXE file. And it will embed itself as a backdoor Trojan horse in your Registry to automatically run on startup.
Nasty.
Of course, the emails were not sent by Microsoft at all. Cybercriminals have forged the email header to trick unsuspecting users into believing the communication is legitimate, and click on the attached file.
So, don’t be fooled by fancy fonts, trustworthy names and bland corporate-style emails like the above. Not all malware threats are spammed out posing as scandalous videos of Olympic gymnasts or a pigtail-wearing young woman who claims she went to school with you.
Sophos products detect the malware used in this attack as Troj/Backdr-HG.
I sent a query concerning this to Sophos on August 30 immediately after receiving the counterfeit notification from Microsoft. It didn't look or sound right to me.
Chester Wisniewski replied (in 37 mins) to my one word query, "Legit?" with "Appears so."
Good thing I decided to follow my own instincts, eh?
But did the one you received in August, have a .pdf.exe attachment?
I believe the wording is based on a genuine email from Microsoft – the bad guys have added the malware as a nasty side dish.
The ones that were going around in August had the same wording as a previous Microsoft Service Agreement update like this one, but they didn't have a malicious attachment. They all had malicious links instead.
Usually these things are obvious because the English is so bad, but this one was very good apart from the British date format. But since I never signed an agreement with Microsoft, I'd have been suspicious about that. And I don't hide extensions, so I would have seen the .exe.
What raised alarm bells for me is the UK spelling of words such as “familiarise” and “prioritise.” A US-based company like Microsoft would use the American English spellings of “familiarize” and “prioritize.”
Dutch translation isn't that bad either! Very easy to fall for…
I received this same email into one of my Hotmail accounts , but with a slight change.
It has no attachment and where your one says "in the attached file" , mine just says "here" , which points to " http://email (dot) microsoft (dot) com (slash) Key-****.*.****.*.**.**** "
Links look legit but I dont think this would do much good because its not as if anyone would bother to read the T&C agreements 🙂
I received the 'legitimate' version only yesterday (dated Sept 16 2012)
Like above the last line of the first paragraph is "Please read over the new Microsoft Services Agreement here to familiarise yourself with the changes we've made. " where "here" is a link to the agreement, and not an attached file, but otherwise the wording matches.
I was a bit surprised with the "of course you can cancel your service at any time" line as I did not think that Microsoft would sound so condescending to their customers, but I supposed it is the times.
I received message with that subject, but I didn't notice any attachments. I was a little tired and only wondered why is Microsoft sending email to my old address, I changed my address when outlook.com gave option for it.
I received a message from microsoft(?) dated 09/11/12 which mentioned no attached file, but had a clickable “here”, which I did click on. The text was as shown. Should I be concerned?
I got 3 of these emails, one was legitimate and two of them contained the trojan.
My email was dated 1/9/2012 but I didnt open the link. It was listed as being from a trusted site – and had the green shield alongside it.
The wording matches but the punctuation in one spot is slightly different. In the first sentence, "We've updated the Microsoft Services Agreement," the legitimate email has no space between the word "Agreement" and the following comma and the underscoring does not extend to the comma. The forged email has a space there. It's a little difficult to see because of the underscoring which extends to include the comma.
Sorry, it should read, "extends to include the space before the comma."
Correction: The last sentence should read, "extends to include the space before the comma."
Please be patient w/me but I have a question re Java. I keep getting reminders that Java updates are available (for me to install) put out by Sunmicro Systems, Inc. Is Java still "virusy" or do I have the wrong end of the stick?? Many thanks for any advice.
Ok I am a bit computer dumb, I do have my settings to show full file extentions but without clicking on one of the blue links how can I see what the file name is? Can you tell I have received one of these e-mails, thank goodness I had not clicked on any of the links, I had saved the e-mail to look at later, I have now deleted it!