General Discussion

[here]

"Not again?!" Yep, again..

- http://www.techweb.com/wire/security/163105391
May 18, 2005
"...Official-looking e-mail...

Microsoft has been the butt of so many such hoaxes that it's posted a lengthy document, "How to Tell if a Microsoft Security-Related Message is Genuine," on its Web site. The document includes a screenshot of an earlier edition of the same bogus e-mail."
- http://www.microsoft.com/security/incident/authenticate_mail.mspx


 

[>>> Please note that MS05-039 does not yet exist.]

FYI...yep, another one:

- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=228
June 28, 2005
"Websense® Security Labs™ has received reports of a new wave of email scams disguised as Microsoft Security Bulletins. Users receive an email message which urges the immediate installation of a cumulative security patch. Users who execute the Trojan become infected with an SDBot variant, which is currently undetected by major anti-virus vendors. This Trojan/Bot allows complete unauthorized access to the machine.
>>> Sample email body:
"Microsoft Security Bulletin MS05-039: New patch against W32/Sober, W32/Zafi, W32/Mytob.
Issued: June 26, 2005
Updated: June 26, 2005
Version: 1.0
Summary
Who should read this document: Customers who use Microsoft Windows
Maximum Severity Rating: CRITICAL ..."


>>> Please note that MS05-039 does not yet exist.

[MS-05-479]

FYI...

- http://www.websensesecuritylabs.com/ale...lertID=330
11/7/2005
"Websense® Security Labs(TM) has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479* in order to be protected from hackers and viruses.
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by:
http://<IP address removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe
Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables..."

*(No such patch exists)

>>> http://www.microsoft.com/athome/security/email/ms_genuine_mail.mspx
"...Microsoft sends e-mail messages to subscribers of our security e-mail notification services when we release information about a security software update or security incident. Unfortunately, malicious individuals can and have sent fake e-mail notifications that appear to be from Microsoft, a tactic known as spoofing. Some of these messages lure recipients to Web sites to download malicious code, while others include a file attachment that contains a virus..."

 

[here]

FYI...

- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=336
November 11, 2005
"Websense® Security Labs™ has received reports of a email scam disguised as a Microsoft Security Update for Explorer.exe. Users receive a spoofed email message instructing them to click on a link to immediately download and install a bugfix from Microsoft.
The link in the email takes the user to a fraudulent website, designed to appear as the legitimate Microsoft Windows update site. The security update hosted on this page is actually a backdoor Trojan horse. Upon execution, the backdoor sends an HTTP request with the IP address of the infected computer and then waits for a connection from the malware author.
The site hosting the malicious file is in the United States, the site where the IP address is reported is hosted in Germany. Both were online at the time of this alert..."

(Phishing site screenshot shown at URL above.)

>>> http://www.microsoft.com/security/incident/authenticate_mail.mspx