Along with the vulnerabilities that Microsoft patched Tuesday, the software giant's customers have a new problem to grapple with: a fake notification e-mail that looks remarkably legitimate.
Attackers are apparently taking advantage of Microsoft's Patch Tuesday to send legitimate-looking e-mails that include a Trojan virus. Trojan.Backdoor.Haxdoor allows attackers to execute files and steal information from compromised computers. The fake mailing includes a legitimate-looking PGP signature, as well as purporting to come from a real Microsoft employee.
Christopher Budd, a security program manager in the Microsoft Security Response Center, offers this perspective on the e-mails in a security posting:
We received some questions from customers about an e-mail that's circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe. While malicious e-mails posing as Microsoft security notifications with attached malware aren't new (we've seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor."
Dancho Danchev at ZDNet's Zero Day ponders whether the timing of this malware campaign will affect its success rate.
"Compared to the recent targeted malware attack against U.S schools, and the massive fake CNN news items campaign taking advantage of client-side vulnerabilities, this one is definitely going to have a lower success rate--no matter the timing," Danchev writes.
Source: http://news.cnet.com/8301-1009_3-10066541-83.html; Posted by Steven Musil, (accessed 10-17-08).
Check to see if you need updates for your hardware or your devices:
Microsoft: http://www.update.microsoft.com/
In
the past, some of our members have received fradulent e-mails claiming
to be from JHFCU. The e-mails claim that you have been locked out of your
account and want you to verify your identity, but they are really scams
trying to steal your identity. There are some indicators you can look
out for to tell whether an e-mail is from a legitimate source, like JHFCU
or the National Credit Union Administration (NCUA), or people scamming
for your personal information.
If you receive an e-mail from a seemingly legitimate organization, which may include an authentic-looking sender address and/or offical organization logos, look at it closely for the following tell-tale signs of phishing:
If you suspect the e-mail is fradulant, contact the purported sender to verify its authenticity. DO NOT respond to the e-mail or click on any of its links. The Credit Union keeps a running list of phishing e-mails that appeared to be from us, but did not actually come from JHFCU. To view these e-mails, click here. You may also read our identity theft article (PDF), which includes informaiton about phishing and ways to protect your personal information.
Get
information about the availability of the Federal Trade Commission’s
online guidance regarding steps to protect against identity theft.
First there was “phishing,” where potential thieves would try to get your personal information by sending you a fake e-mail claiming to be from a legitimate financial institution or company, like PayPal. Now scam artists have come up with a similar ruse, known as “vishing,” which is basically phishing by phone.
Vishing scams come in two varieties. The first is conducted solely by phone. A consumer is called, usually by an automated dialer, and told that the privacy of their credit card or bank account has been compromised. They are then told to call back a certain number immediately to “verify” their information.
The second type of vishing is just like the first, except that the intended victim gets an e-mail instead of a call. The message is like that of a phishing e-mail, but instead of clicking on a link, the person is asked to call a certain number.
Either way, when the consumer calls the number, they reach an automated voice response system that asks the consumer to enter things like their account number, password, birth date, and Social Security number. As the unsuspecting consumer enters the information on their keypad, the crook records their keystrokes.