Fake Microsoft patch spam makes rounds

Share this article:
A new spam attack falsely alerts users to download a Microsoft patch, but when responded to, the user is directed to a page that installs malware on the user's computer.

According to a report from security provider Websense, the message tells users that their Windows version is vulnerable to a critical security issue and directs them to a download page. The link actually uses an open redirect to a legitimate shopping site. From there, the redirect forwards users to a URL with a pop-up box, instructing the user to click “yes” to start the download, Dan Hubbard, chief technology officer at Websense, told SCMagazineUS.com on Wednesday.

“It's a deception attack, where it is made to look like a Microsoft update and the user has to take action, rather than an exploit where the user gets infected without saying yes to the download,” Hubbard said.

The downloaded malware infects the computer with a backdoor that can be exploited by hackers Hubbard said. However, the spam is easy to spot because Microsoft does not send email notifications about patch updates.

One of the more interesting aspects to this spam, Hubbard said, is the actual root of the domain name used – it will take the user to the U.S. Secret Service website.

“We believe they are doing that because some security products only look at the top-level domain name, rather than look at the whole name,” Hubbard explained. “In this case, the security product would see it was going to the Secret Service and let it go.”

Avivah Litan, Gartner vice president and distinguished analyst, said this is just more proof that cybercriminals are getting smarter.

“The people sending out the spam are figuring out how to avoid the filters or reputation systems,” she said.  

It is just one more instance that shows the need for stronger authorization on the Internet, she said.
Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.