 Cartel
join:2006-09-13
Chilliwack, BC
kudos:2
 ·TekSavvy DSL
 ·Shaw
·TELUS
| SCAM: Important Changes to Microsoft Services Agreement Important Changes to Microsoft Services Agreement and Communication Preferences
If you get a email like this, 2 out of 3 your getting scammed and even hovering on a link will infect you.
M$ tells you to hover the links to make sure they are legit, don't do it.
quote:
What's worse is that hovering over the link to check the "real" link (which was close to what DanPC noted) and just viewing it in preview was sufficient for a malware attack which was blocked and quarantined by MSE (Trojan:JS/BlacoleRef.AP) after I was alerted to perform a Clean. So it was not just a scam or spam or phishing effort, but a malicious and subtle malware attack!!
This is a very serious situation. All need to be considered dangerous and deleted and only the link you provided in your post used. I've no idea how to get the word out and prevent harm to a great many people. Not everyone is setup as secure as I am and will not thwart the attack.
»answers.microsoft.com/en-us/wind···78cf3498 |
|
Cartel
join:2006-09-13
Chilliwack, BC
kudos:2 Reviews:
·TekSavvy DSL
·Shaw
·TELUS
| Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email
quote:
Don't trust it.
"We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here, per a change to Microsoft services as of 27 AUG.
The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.
I'll walk you though the full sample set I analyzed. Susan sent us an email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender.com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn.com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft.
The legitimate email will include a hyperlink for »email.microsoft.com/Key-9850301.···K.DlNkNK, which points to the above mentioned services agreement.
Obfuscated to protect the innocent: The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post.
Source code review of the web page served included
The VirusTotal link for Leh.jar is here, and the VirusTotal link for the Zeus variant offered is here.
Recommendations:
1.Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
2.Contemplate disabling Java until the next update is released.
3.Review email headers if in doubt for messages you receive that seem suspicious.
4.Keep your antimalware signatures up to date. While limited at the moment, detection for both the Java exploit and the Zeus variant is increasing.
Ping us with questions or comments, as well as anything you'd like to share regarding similarly received emails from this phishing campaign"
quote:
Recommendations:
1.Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
not good advice |
|
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Cartel
How could hovering on a link infect you?
Just use the Proxomitron which gives you a toggle switch for Java. |
|
 MSengPremium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6
1 edit | reply to Cartel
I read through that whole thread and I don't see where Microsoft tells you to hover over links. I see where a contributor to the thread does. Susan Bradley is not an employee of Microsoft.
You should get your facts straight.
Here is a specific post from a Microsoft employee telling you how to identify it as legit:
"Thank you everyone for continuing to reply on this thread to alert us to a possible problem. If you received an email regarding the Microsoft Services Agreement update and you're reading your email through Hotmail or Outlook.com, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender. If the email does not have a Green shield, you can mark the email as a Phishing scam.
For Hotmail, select the message. Click the chevron next to the “Mark as” button to display the drop down list of options. Select “Phishing scam.”
For Outlook.com, select the message. Click on the chevron next to the Junk button to display the drop down list of options. Select “Phishing scam”.
If you received a suspicious notification through another service, such as Gmail, please forward the notice to *** Email address is removed for privacy ***.
"
--
A)bort, R)etry, I)nfluence with large hammer. |
|
Cartel
join:2006-09-13
Chilliwack, BC
kudos:2 Reviews:
·TekSavvy DSL
·Shaw
·TELUS
| said by MSeng:I read through that whole thread and I don't see where Microsoft tells you to hover over links. I see where a contributor to the thread does. Susan Bradley is not an employee of Microsoft.
You should get your facts straight.
Susan Bradley
Member since February 22, 2008
Community Moderator - Windows |
|
MSengPremium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6
1 edit | Once again -- she is not an employee of Microsoft.
»msmvps.com/blogs/bradley/about.aspx
Amongst other things, she is a moderator in a forum. 
--
A)bort, R)etry, I)nfluence with large hammer. |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
·Bell Sympatico
| I've made Sue Bradley aware of this thread.
She should be by to answer some of the questions asked here.
As for the changes to the MS TOS you'll find the revised version Here |
|
Reviews:
·WestNet Broadband
| reply to MSeng
said by MSeng:Amongst other things, she is a moderator in a forum.
There has been for a long time where users think moderators are employees or only influenced by the owners of a product. You may have to listen to the owners and make informed decisions on questions asked due to your responsibility of their forum you are moderating, but it still does not make you an employee of the company because of it.
I wish this issue would be expelled for once and all, it would make at least a 1/3rd of "crap posting" disappear I would think and make for better forum discussions.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Cartel
join:2006-09-13
Chilliwack, BC
kudos:2 | reply to Cartel
Just dont open the link or hover on it.
|
|
 banditws6Shrinking Time and DistancePremium
join:2001-08-18
Frisco, TX
·RoadRunner Cable
| reply to Cartel
Wow. This is the first I've heard of malware being delivered just by hovering over a link in an email, though knowing how JavaScript works, it makes perfect sense and I guess I'm surprised it hasn't been tried before.
Since I don't use webmail, and my email client (Thunderbird) does not allow Javascript execution in mail content, presumably I do not have to worry about the hover event as an entry vector?
--
"The counsel of fools is all the more dangerous the more of them there are." -Ólafr Höskuldsson |
|
| reply to MSeng
Thank gawd I don't work for Microsoft. I think I'd go postal over Win8.
Anyway, I volunteer as a moderator, I'm not an employee for sure. |
|
| I'm getting confused.
It has often been suggested in security forums to hover over links to actually see when they will lead you. So if you are not supposed to open them and not supposed to hover over them, just how do you know what address they lead to and if they are legit or not?
In my wife's LiveMail account, which she reads in their webmail interface, this particular mail is marked by LiveMail as "Trusted Sender" with a green icon. Now what is the purpose of LiveMail using such a system if they can't even tell what emails come from them?
I received my email in Outook Express and via Properties -> Details, it looked fake to me. I assume that is a safe procedure unless that too now poses an issue. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | READ ALL MAIL ONLY IN PLAIN TEXT AND DON'T USE THE PREVIEW PANE. Using HTML to read email and using the Preview Pane was how the guy in the thread got infected with merely "hovering" over the urls. He did not follow safe hex regarding email.
Plus, of course, do what you have mentioned to any piece of mail that you are suspicious about: Properties/details. You cannot get infected that way as you have not opened the email.
The real problem, and Microsoft is very much a culprit here, is that so much email these days is unreadable if using plain text. Microsoft emails are like that for some time now. You are forced to turn on HTML to read them. At least, with OE, questionable pictures, etc are not downloaded when you turn on HTML and you have to override to get those downloaded. So there is some protection. But the best protection was when Microsoft emails were readable in Plain Text! I just about stopped all my Microsoft subscriptions because nothing can be read now in Plain Text. If I wanted a website view, I wouldn't subscribe to newsletters in the first place! They should all be readable in Plain Text. That goes for most other companies these days that no longer allow their emails to be read in Plain Text.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
 kingdome74Emotionally UnavailablePremium
join:2002-03-27
Syracuse, NY
kudos:3 | reply to Cartel
For whatever reason the one I received Google Mail sent straight to "Spam" hence the links were shut off. |
|
MSengPremium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6 | reply to red2
said by red2 :In my wife's LiveMail account, which she reads in their webmail interface, this particular mail is marked by LiveMail as "Trusted Sender" with a green icon. Now what is the purpose of LiveMail using such a system if they can't even tell what emails come from them?
I received my email in Outook Express and via Properties -> Details, it looked fake to me. I assume that is a safe procedure unless that too now poses an issue.
The mail your wife received was legitimate. From a previous post:
If you received an email regarding the Microsoft Services Agreement update and you're reading your email through Hotmail or Outlook.com, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender.
Without knowing what you saw in the mail properties (headers) of the mail received through Outlook Express, it is difficult to determine if yours was legit too.
--
A)bort, R)etry, I)nfluence with large hammer. |
|
| Mele, I've always read all mail in Outlook Express as plain text and disabled the preview function. But for someone like my wife who reads it in webmail, I can only use the security options that the webmail interface provides. I believe it is limited to turning off html.
As you stated, I receive many mails that are unreadable in OE as plain text. That's the first issue. Second, many like MS use confusing mailbox adresses. So one is left to guess if an account like @mail.miscrosoft.com is legit or not.
Mseng, in the web interface the mail did have the green verification shield. However, in OE I don't remember seeing anything.
I sent the mail I received as an attachment to phishing.org. And while I still have my email with the attachement, if I try to save the attachment as an eml file, from what I can tell, OE provides no way to check it's properties again. |
|
