Microsoft "failed update" phish might well sound believable - watch out!

Filed Under: Featured, Microsoft, Phishing

We get an awful lot of spam in our spamtraps.

So it's easy to get inured to spam, if you spend lots of time looking at it for research purposes.

But from time to time we find spams that are interesting enough - or at least intriguing enough - to write about anyway, such as the time 30-year-old Alex (NS, ND, GSOH) from Ukraine tried to sell us his liver (or part of it, at least).

When spammers add sickening disrespect to their regular criminality, we sometimes can't sit on our hands about it, as when crooks used the aftermath of the Boston Marathon bombings to spread malware.

And occasionally we find an attempt at phishing that we grudgingly have to admit shows a resourceful sense of occasion.

We don't respect it, and we disapprove as much as ever, but we have to say, "That's not so far-fetched that you're bound to delete it without a second thought."

→ Phishing, don't forget, is where cybercrooks try to charm/trick/persuade/terrify you into logging in to verify/check/win/dispute something such as a username/setting/iPad/invoice... only for you to realise, once you've put in your username, password and other details and clicked [Submit], that you were on an imposter site all along.

As you've probably heard, and perhaps experienced first hand if you are a Windows user, Microsoft's Patch Tuesday updates have suffered some clumsiness lately.

In September, some updates turned up over and over (or "over and over and over", as one reader put it) until Microsoft pushed out updates to the updates and things settled down.

So this email, though not exactly expected, isn't outrageously obviously bogus at first sight, and might even relate to problems you've experienced recently:

Windows Installer package update is required to automatically eliminate obsolete patches in your sequence of patches as a report on our server indicates an error code (0x700) as a result of a failed update

Every installer sequence patch is being linked to an email account. Fill in the error code and other details to automatically fix this error

The link you're asked to follow should be outrageously obviously bogus, however, since it neither links to Microsoft, nor uses HTTPS (secure HTTP):

The lack of HTTPS is cast into harsh relief when what looks like an official Microsoft login screen appears, where you would expect a secure page:

In short, be careful with emails you weren't expecting, and be sure to check that the details add up - in this example, the missing HTTPS and the curious domain name don't add up at all.

If in doubt, leave it out!

, , ,

You might like

22 Responses to Microsoft "failed update" phish might well sound believable - watch out!

  1. dmjameus · 724 days ago

    I have NEVER opened an email from microsoft in regards to my computer... all my updates are automatic and I have never had an issue with any of them that I have had to resolve. I do not open links from anyone I don't personally know and even then I am highly suspicious of links that I get in my email account. I will always question them!!!!

  2. Michael N · 724 days ago

    Really appreciate this site! Im curious though: why don't you post subject lines or header info for these types of things so we can adjust our spam filters?

    • Paul Ducklin · 724 days ago

      The subject line and sender info isn't much to go on - we'd rather try to get people thinking about the overall issue of "what makes it a phish regardless of the subject line" - but here you go.

      This from the sample I looked at:

      Subject: Important Fix Info
      To: Windows <>
      From: <>

      • Michael N · 724 days ago

        Thanks Paul. What about the header info showing which malicious email server is sending? Do you find that the IP is spoofed so often that trying to block by MX record IP is like shoveling rain?

        Granted, the people are the target here so education and information goes along way but in the meantime if these phishing emails are coming into an organization, its not 1 at a time. We'll typically see a ton coming in all at once until we crack open a header and block the IP.

        Might it be useful to your readers to share that info so we can proactively block?

        • Paul Ducklin · 723 days ago

          Looks like an ISP's mail server relaying mail for an arbitrary customer (presumably zombified).

          Not much help in giving you the IP number - the next sample you'd see would most likely be from somewhere else entirely - so, hey, let's allow the customer/ISP to sort themselves out without naming and shaming them :-)

          (Seems a bit unfair to single out *one* sender from the whole campaign and write up their IP number publicly, for a spam campaign that's happened already. Probably not a big deal either way, but I'm more comfortable giving the victim the benefit of the doubt.)

      • BobBentBike · 724 days ago

        Thanks, Paul. The concept is important, but the subject line is what I can search for in my email logs to see if any of my users got a similar message.

        • Paul Ducklin · 723 days ago

          With hindsight, sure, I ought to have included the subject line in the screenshot.

          Usually I do just that, if only for visually clarity that it's an email (not a web page) we're looking at.

          Next time...

          • Michael N · 723 days ago

            Paul thanks for the reply. What you say makes sense re: IP address.

  3. ngyikp · 724 days ago

    That's the old Microsoft logo too ;p

    • Paul Ducklin · 724 days ago

      Maybe the crooks thought that XP users would see the new logo as bogus, and so deliberately used the old one :-)

  4. Glen · 724 days ago

    I like your last line and everyone should heed it,"When in doubt,leave it out."

  5. Jake · 724 days ago

    The clunky phrasing in the original messsage, the little grammar errors, and the use of British rather than American English spelling are also good clues that none of this is from Redmond.

    • English Grammer · 722 days ago

      Yep, them yanks don't speak the mother tongue, that's true.

  6. "Unauthorized users are strictly forbidden"

    Seems legit.

  7. Afam · 724 days ago

    I got one purportedly sent by Outlook Team recently. They claimed that my hotmail account will be blocked unless it was verified within 48hrs. I was suspicious from onset and when I clicked on the link to update my email, I was redirected to another site. That was when i knew I was treading on a dangerous ground. Meanwhile, I thank the Naked Security team for educating us on online dangers.

  8. The also misspelled "Authorized" at the bottom.

    • Clare McKee · 723 days ago

      That would be the British spelling! We don't use a zed for authorise ! Therefore, it would look ok to us in the UK at that point. I wouldn't have known you guys spell it differently!

      • Paul Ducklin · 723 days ago

        Ironically, the Oxford Dictionary folks always seem to have preferred (and recommended) the -z- spelling.

        And that most definingly English (in the sense of the country and the language) of publications, the so-called "King James" Bible of 1611, is still formally known as the Authorized Version (check out the flyleaf, even of one that was printed this year), from the fact that it was originally denoted as "Authorized to be Read in Churches."

        So we most certainly can, may and do use a -z- for authorize if we so choose - and with Royal, errrrrm, authorisation!

        PS. I didn't notice it. I saw "authorise" and my eyes told my brain, "that's correct, no further consideration required."

  9. gene · 724 days ago

    Well, October's fixes were a disaster for a lot of people. Me included this time. I can see how spammer's might get the idea to use Microsoft's ineptness against them. Everyone else does, why not spammers too?

  10. Roger · 723 days ago

    'Authorised' is not a misspelling, but an alternative not used in the USA, thus would never be used by Microsoft.

  11. Roger · 723 days ago

    Paul, Both Oxford and Cambridge University Presses and a number of English publishing houses use the '-ize' verb suffix, which goes back to the Ancient Greek verb suffix '-izein', hence '-ize'. I don't know why '-ise', used in French, was adopted in the UK, Australia, New Zealand and others, but it may be because '-ise',is the only choice for a number of words, for example 'supervise', which comes from Latin and means literally 'watch over', which makes it easier to use '-ise' all the time.

    • Paul Ducklin · 723 days ago

      I was taught (or at least, once told in passing by a teacher on a day that obviously didn't have much else in it to amuze me) that it all began when English started pretending it was a Romance language - something to do with 1066 and all that.

      So-called inceptive verbs adopted from Greek got zeds (from -idzein, as you say) while those from Latin got esses (from -scere). But that logic falls down all over the place, and faced with government bodies officially called "Organisations" in every country in which I've ever lived, I just "essed up" my life. It meant never having to remember if it was -z- ever again. I think I took that tip from the great Sir Ernest Gowers.

      I even write "baptise," though many people treat it as a special case, since it's from a Latin word that itself copied the -z- from Greek.

      The relevance of all this to the article is, hmmmm - give me a moment, I'll come up with something - ah, yes, is that orthographic minutiae aren't anywhere near as obvious or as helpful in spotting phishes as dodgy domain names.

      The hacked website's name in this case (I greyed it out) couldn't have been mistaken for the word "microsoft" even by the most liberal-minded philologist.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog