Cyber criminals are exploiting Microsoft updates in an email scam designed to send users to bogus sites.

A mass spamming of emails, claiming to be from update@microsoft.com, sends users to a fake site that uses images stolen from a real Microsoft website.

Some anti-spam experts are worried that email passes through traditional spam filters and could easily fool users.

"The email won't be picked up through anti-spyware software because the .exe file does not contain spyware signatures that would be used to identify it as potentially harmful," said Martino Corbelli marketing director at email filtering company Surfcontrol. "Anti-spyware software tends to scan URLs and attachments in suspicious emails, but because none of the recognised spyware signatures are present in the .exe here, there's no way this approach could identify the threat."

When users click on links found at the bogus websites they will inadvertently download a trojan.

"This criminal campaign exploits the public's rising paranoia about the security of their Windows computers. If users fall for it they may put themselves at risk of being spied upon or having their credit card and online banking details stolen," said Graham Cluley, senior technology consultant at anti-virus company Sophos. "Users must be very careful to be sure they are going to the official update websites, rather than just following links in emails which have been sent by hackers."

Earlier this week SC reported Microsoft's major security update, Windows XP Service Pack 2, had only been rolled-out by 23 percent of enterprise businesses. The company is also pursuing 117 phishers through the law courts under trademark law. (See report here).

www.microsoft.com
www.surfcontrol.com
www.sophos.com