That Service Agreement E-mail From Microsoft May be a Fake

Researchers are warning enterprises about a new phishing campaign that uses a Microsoft e-mail template.

Internet Storm Center, a security firm, announced its findings over the Labor Day weekend. According to Russ McRee, a researcher with the firm, the e-mail campaign mimics Microsoft's "Important Changes to Microsoft Services Agreement and Communication Preferences" in its attempts to exploit the Java flaw that was publicly demonstrated last week.

In a company blog post, McRee wrote that instead of linking to a legitimate Microsoft site, the "phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others."

The redirects take users to Web sites hosting the Blackhole exploit toolkit that was recently updated to include the Java exploit. Thanks to the toolkit, a user need to visit the malicious Web site only once to have the malware downloaded and installed -- no user action is needed.

A Microsoft product manager with the user name "Karla L" provided several tips for verifying if an e-mail was sent by the company.

"If you received an email regarding the Microsoft Services Agreement update and you're reading your email through the Hotmail or web UI, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender. If the email does not have a Green shield, you can mark the email as a Phishing scam.  Do not click through the links in the email if you are not sure it is safe."

A handful of security software firms have also added the malicious e-mail into its database. Symantec Endpoint Protection has labeled this phishing scam as "Trojan.Maljava!Gen23."

Oracle released an update last week for the zero-day flaw that can allow attackers to modify the level of privileges on a targeted machine. According to an earlier survey conducted by security firm Rapid7, only 38 percent of Java users update their systems to the latest version within six months of an update's release. That means the vast majority of the Web-based plugin users are currently at risk.

To update to the latest version of Java (version 7, update 7), follow this link.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Must Read Articles