Fake Microsoft patch spam makes rounds

Share this article:
A new spam attack falsely alerts users to download a Microsoft patch, but when responded to, the user is directed to a page that installs malware on the user's computer.

According to a report from security provider Websense, the message tells users that their Windows version is vulnerable to a critical security issue and directs them to a download page. The link actually uses an open redirect to a legitimate shopping site. From there, the redirect forwards users to a URL with a pop-up box, instructing the user to click “yes” to start the download, Dan Hubbard, chief technology officer at Websense, told SCMagazineUS.com on Wednesday.

“It's a deception attack, where it is made to look like a Microsoft update and the user has to take action, rather than an exploit where the user gets infected without saying yes to the download,” Hubbard said.

The downloaded malware infects the computer with a backdoor that can be exploited by hackers Hubbard said. However, the spam is easy to spot because Microsoft does not send email notifications about patch updates.

One of the more interesting aspects to this spam, Hubbard said, is the actual root of the domain name used – it will take the user to the U.S. Secret Service website.

“We believe they are doing that because some security products only look at the top-level domain name, rather than look at the whole name,” Hubbard explained. “In this case, the security product would see it was going to the Secret Service and let it go.”

Avivah Litan, Gartner vice president and distinguished analyst, said this is just more proof that cybercriminals are getting smarter.

“The people sending out the spam are figuring out how to avoid the filters or reputation systems,” she said.  

It is just one more instance that shows the need for stronger authorization on the Internet, she said.
Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.