According to a report from security provider Websense, the message tells users that their Windows version is vulnerable to a critical security issue and directs them to a download page. The link actually uses an open redirect to a legitimate shopping site. From there, the redirect forwards users to a URL with a pop-up box, instructing the user to click “yes” to start the download, Dan Hubbard, chief technology officer at Websense, told SCMagazineUS.com on Wednesday.
“It's a deception attack, where it is made to look like a Microsoft update and the user has to take action, rather than an exploit where the user gets infected without saying yes to the download,” Hubbard said.
The downloaded malware infects the computer with a backdoor that can be exploited by hackers Hubbard said. However, the spam is easy to spot because Microsoft does not send email notifications about patch updates.
One of the more interesting aspects to this spam, Hubbard said, is the actual root of the domain name used – it will take the user to the U.S. Secret Service website.
“We believe they are doing that because some security products only look at the top-level domain name, rather than look at the whole name,” Hubbard explained. “In this case, the security product would see it was going to the Secret Service and let it go.”
Avivah Litan, Gartner vice president and distinguished analyst, said this is just more proof that cybercriminals are getting smarter.
“The people sending out the spam are figuring out how to avoid the filters or reputation systems,” she said.
It is just one more instance that shows the need for stronger authorization on the Internet, she said.