Rogue Microsoft Services Agreement emails lead to latest Java exploit
Hackers created a malicious version of a legitimate Microsoft email announcement
IDG News Service - Hackers are distributing rogue email notifications about changes in Microsoft's Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware.
"We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences," Russ McRee, security incident handler at the SANS Internet Storm Center, said Saturday in a blog post.
The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company's Services Agreement that will take effect Oct. 19.
However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.
Blackhole is a tool used by cybercriminals to launch Web-based attacks that exploit vulnerabilities in browser plug-ins like Java, Adobe Reader or Flash Player, in order to install malware on the computers of users who visit compromised or malicious websites.
This type of attack is known as a drive-by download and is very effective because it requires no user interaction to achieve its goal.
Blackhole was recently updated to include a new exploit for Java 7 that appeared online last Monday. The links in the rogue Microsoft Services Agreement notifications point to Blackhole-infected websites make use of the new Java exploit to install a variant of the Zeus financial malware, McRee said.
Oracle released Java 7 Update 7 on Thursday to address the vulnerabilities targeted by this exploit.
The malicious Java applet used in this attack is detected by only eight of the 42 anitivirus engines available on the VirusTotal file scanning service. The Zeus variant has a similarly low detection rate.
The technique of creating malicious versions of legitimate email messages sent by trusted companies is very old. However, its continued use by cybercriminals suggests that it is still efficient.
"This email is a legitimate announcement regarding updates to the Microsoft Services Agreement and Communication Preferences," a Microsoft program manager for supporting mail technologies who identifies herself as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.
However, she later acknowledged the existence of reports about malicious emails that use the same template. "If you received an email regarding the Microsoft Services Agreement update and you're reading your email through Hotmail or Outlook.com, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender," she said. "If the email does not have a Green shield, you can mark the email as a Phishing scam."
Hovering over the links in the legitimate version of the email should point to locations on the microsoft.com domain. Anything else should be treated as suspicious.
Reviewing the email headers can also offer clues whether the email is legitimate. For example, some samples of this rogue email message come from an IP address in China, McRee said.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts