New MS Security Phish



Edwaleni
07-09-2005, 11:53 PM
Listed below is a recent phish attempt I recv'd from someone attempting to be
Microsoft. It also included a file called "update82.exe" which is 104k.

I have not signed up for security updates. It came from the address
""Microsoft Security Section" <ynsmpitr@technet.msdn.net>"

********************************************************

Microsoft All Products | Support | Search | Microsoft.com Guide
Microsoft Home


Microsoft Partner

this is the latest version of security update, the "June 2005, Cumulative
Patch" update which eliminates all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express as well as three
newly discovered vulnerabilities. Install now to continue keeping your
computer secure. This update includes the functionality of all previously
released patches.


System requirements Windows 95/98/Me/2000/NT/XP
This update applies to MS Internet Explorer, version 4.01 and later
MS Outlook, version 8.00 and later
MS Outlook Express, version 4.01 and later
Recommendation Customers should install the patch at the earliest
opportunity.
How to install Run attached file. Choose Yes on displayed dialog box.
How to use You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found
on the Microsoft Technical Support web site. For security-related information
about Microsoft products, please visit the Microsoft Security Advisor web
site, or Contact Us.

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail
address and we are unable to respond to any replies.
The names of the actual companies and products mentioned herein are the
trademarks of their respective owners.

Contact Us | Legal | TRUSTe
©2005 Microsoft Corporation. All rights reserved. Terms of Use | Privacy
Statement | Accessibility

Steven L Umbach
07-09-2005, 11:53 PM
Thanks for that info but note that this kind of malicious activity will
never stop. Best practice is to NEVER install an update that claims to be
from Microsoft via email or a link in an email. When in doubt always go to
Windows Update website. Good antivirus protection that scans all downloads
and email attachments is a must.--- Steve


"Edwaleni" <Edwaleni@discussions.microsoft.com> wrote in message
news:77AC0225-1468-42A4-B3F8-A5BC811286C1@microsoft.com...
> Listed below is a recent phish attempt I recv'd from someone attempting to
> be
> Microsoft. It also included a file called "update82.exe" which is 104k.
>
> I have not signed up for security updates. It came from the address
> ""Microsoft Security Section" <ynsmpitr@technet.msdn.net>"
>
> ********************************************************
>
> Microsoft All Products | Support | Search | Microsoft.com Guide
> Microsoft Home
>
>
> Microsoft Partner
>
> this is the latest version of security update, the "June 2005, Cumulative
> Patch" update which eliminates all known security vulnerabilities
> affecting
> MS Internet Explorer, MS Outlook and MS Outlook Express as well as three
> newly discovered vulnerabilities. Install now to continue keeping your
> computer secure. This update includes the functionality of all previously
> released patches.
>
>
> System requirements Windows 95/98/Me/2000/NT/XP
> This update applies to MS Internet Explorer, version 4.01 and later
> MS Outlook, version 8.00 and later
> MS Outlook Express, version 4.01 and later
> Recommendation Customers should install the patch at the earliest
> opportunity.
> How to install Run attached file. Choose Yes on displayed dialog box.
> How to use You don't need to do anything after installing this item.
>
> Microsoft Product Support Services and Knowledge Base articles can be
> found
> on the Microsoft Technical Support web site. For security-related
> information
> about Microsoft products, please visit the Microsoft Security Advisor web
> site, or Contact Us.
>
> Thank you for using Microsoft products.
>
> Please do not reply to this message. It was sent from an unmonitored
> e-mail
> address and we are unable to respond to any replies.
> The names of the actual companies and products mentioned herein are the
> trademarks of their respective owners.
>
> Contact Us | Legal | TRUSTe
> 2005 Microsoft Corporation. All rights reserved. Terms of Use | Privacy
> Statement | Accessibility

Edwaleni
07-09-2005, 11:53 PM
This actually came in on my Yahoo account and the attachment was scanned by
Norton AV service provided by Yahoo Mail. It checked OK.

"Steven L Umbach" wrote:

> Thanks for that info but note that this kind of malicious activity will
> never stop. Best practice is to NEVER install an update that claims to be
> from Microsoft via email or a link in an email. When in doubt always go to
> Windows Update website. Good antivirus protection that scans all downloads
> and email attachments is a must.--- Steve
>
>
> "Edwaleni" <Edwaleni@discussions.microsoft.com> wrote in message
> news:77AC0225-1468-42A4-B3F8-A5BC811286C1@microsoft.com...
> > Listed below is a recent phish attempt I recv'd from someone attempting to
> > be
> > Microsoft. It also included a file called "update82.exe" which is 104k.
> >
> > I have not signed up for security updates. It came from the address
> > ""Microsoft Security Section" <ynsmpitr@technet.msdn.net>"
> >
> > ********************************************************
> >
> > Microsoft All Products | Support | Search | Microsoft.com Guide
> > Microsoft Home
> >
> >
> > Microsoft Partner
> >
> > this is the latest version of security update, the "June 2005, Cumulative
> > Patch" update which eliminates all known security vulnerabilities
> > affecting
> > MS Internet Explorer, MS Outlook and MS Outlook Express as well as three
> > newly discovered vulnerabilities. Install now to continue keeping your
> > computer secure. This update includes the functionality of all previously
> > released patches.
> >
> >
> > System requirements Windows 95/98/Me/2000/NT/XP
> > This update applies to MS Internet Explorer, version 4.01 and later
> > MS Outlook, version 8.00 and later
> > MS Outlook Express, version 4.01 and later
> > Recommendation Customers should install the patch at the earliest
> > opportunity.
> > How to install Run attached file. Choose Yes on displayed dialog box.
> > How to use You don't need to do anything after installing this item.
> >
> > Microsoft Product Support Services and Knowledge Base articles can be
> > found
> > on the Microsoft Technical Support web site. For security-related
> > information
> > about Microsoft products, please visit the Microsoft Security Advisor web
> > site, or Contact Us.
> >
> > Thank you for using Microsoft products.
> >
> > Please do not reply to this message. It was sent from an unmonitored
> > e-mail
> > address and we are unable to respond to any replies.
> > The names of the actual companies and products mentioned herein are the
> > trademarks of their respective owners.
> >
> > Contact Us | Legal | TRUSTe
> > ©2005 Microsoft Corporation. All rights reserved. Terms of Use | Privacy
> > Statement | Accessibility
>
>
>

Bigbruva
07-09-2005, 11:53 PM
Just for the record this is not a "phishing" attempt it is an attempt to
trick you into running malware.
You did the right thing in not running it (MS do not send attachments like
this for anything!)
However if your AV scanner did not pick it up you should report it to them.
As you stated you are using Norton you should look here for info on how to
do this:
http://securityresponse.symantec.com/avcenter/submit.html

A great site to use to check file you are suspicious of is
http://www.virustotal.com/flash/index_en.html
They will scan the file with a 18 AV scanners and report to you the results.

I have just received a classic "phishing" attempt on my gmail account which
I have included for those that are interested

<snip>

We recently have determined that different computers have logged into your
PayPal account, and multiple password failures were present before the
login. One of our Customer Service employees has already tryed to
telephonically reach you. As our employee did not manage to reach you, this
email has been sent to your notice.
Therefore your account has been temporarily suspended. We need you to
confirm your identity in order to regain full privileges of your account.
If this is not completed by June
44444444444444444444444444444444444444444444, 2005, we reserve the right to
terminate all privileges of your account indefinitly, as it may have been
used for fraudulent purposes. We thank you for your cooperation in this
manner.
To confirm your identity please follow the link below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thank you for your patience in this matter.

PayPal - Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent
to this address cannot be answered.

</snip>

Notice the URL, this was a false label which in fact looked like this, minus
the <CRAPTOBREAKLINK> label I added to stop anyone getting to these b@stards
site!:
www.paypal.com.international-transaction.info<CRAPTOBREAKLINK>/webscr.php?cmd=LogIn

See how they try to make the URL look real by using "www.paypal.com" to
start the line but as URLs are read right to left by your computer this link
has nothing to do with PayPal it is just another attempt to trick people
into giving the phishers there personal details.
If you get an email like this report it to the real site if you can, in the
case of PayPal you do this by forwarding the entire email - including the
header information - or the site's URL to spoof@paypal.com

I hope that helps


BB


"Edwaleni" <Edwaleni@discussions.microsoft.com> wrote in message
news:E0BED8F4-CA4D-4DB3-82CF-ACCDAF4ACBAD@microsoft.com...
> This actually came in on my Yahoo account and the attachment was scanned
> by
> Norton AV service provided by Yahoo Mail. It checked OK.
>
> "Steven L Umbach" wrote:
>
>> Thanks for that info but note that this kind of malicious activity will
>> never stop. Best practice is to NEVER install an update that claims to be
>> from Microsoft via email or a link in an email. When in doubt always go
>> to
>> Windows Update website. Good antivirus protection that scans all
>> downloads
>> and email attachments is a must.--- Steve
>>
>>
>> "Edwaleni" <Edwaleni@discussions.microsoft.com> wrote in message
>> news:77AC0225-1468-42A4-B3F8-A5BC811286C1@microsoft.com...
>> > Listed below is a recent phish attempt I recv'd from someone attempting
>> > to
>> > be
>> > Microsoft. It also included a file called "update82.exe" which is
>> > 104k.
>> >
>> > I have not signed up for security updates. It came from the address
>> > ""Microsoft Security Section" <ynsmpitr@technet.msdn.net>"
>> >
>> > ********************************************************
>> >
>> > Microsoft All Products | Support | Search | Microsoft.com Guide
>> > Microsoft Home
>> >
>> >
>> > Microsoft Partner
>> >
>> > this is the latest version of security update, the "June 2005,
>> > Cumulative
>> > Patch" update which eliminates all known security vulnerabilities
>> > affecting
>> > MS Internet Explorer, MS Outlook and MS Outlook Express as well as
>> > three
>> > newly discovered vulnerabilities. Install now to continue keeping your
>> > computer secure. This update includes the functionality of all
>> > previously
>> > released patches.
>> >
>> >
>> > System requirements Windows 95/98/Me/2000/NT/XP
>> > This update applies to MS Internet Explorer, version 4.01 and later
>> > MS Outlook, version 8.00 and later
>> > MS Outlook Express, version 4.01 and later
>> > Recommendation Customers should install the patch at the earliest
>> > opportunity.
>> > How to install Run attached file. Choose Yes on displayed dialog box.
>> > How to use You don't need to do anything after installing this item.
>> >
>> > Microsoft Product Support Services and Knowledge Base articles can be
>> > found
>> > on the Microsoft Technical Support web site. For security-related
>> > information
>> > about Microsoft products, please visit the Microsoft Security Advisor
>> > web
>> > site, or Contact Us.
>> >
>> > Thank you for using Microsoft products.
>> >
>> > Please do not reply to this message. It was sent from an unmonitored
>> > e-mail
>> > address and we are unable to respond to any replies.
>> > The names of the actual companies and products mentioned herein are the
>> > trademarks of their respective owners.
>> >
>> > Contact Us | Legal | TRUSTe
>> > 2005 Microsoft Corporation. All rights reserved. Terms of Use |
>> > Privacy
>> > Statement | Accessibility
>>
>>
>>

N. Miller
07-09-2005, 11:53 PM
On Wed, 1 Jun 2005 11:00:24 -0700, Bigbruva wrote:

> As you stated you are using Norton...

He did not state that he was using Norton:

"...the attachment was scanned by
Norton AV service provided by Yahoo Mail."

I constantly see attachments get through the Yahoo! Mail virus scanner.
There is nothing the user can do about it.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Bigbruva
07-09-2005, 11:53 PM
Good point I had missed that, however the local AV scanner should catch the
ones that get past the Yahoo Web service.
Edwaleni, if you do not have a local AV scanner then please look into
getting one ASAP

Have a look here for a list of free trials you can used to select your
favorite
http://www.microsoft.com/athome/security/downloads/default.mspx

You could also look at some of the free ones (for Home use) that are
available from:

http://www.avast.com/eng/down_home.html

or

http://free.grisoft.com/doc/2/lng/us/tpl/v5

Good luck

BB

"N. Miller" <anonymous@discussions.microsoft.com> wrote in message
news:jsd9918ry36e$.dlg@discussions.microsoft.com...
> On Wed, 1 Jun 2005 11:00:24 -0700, Bigbruva wrote:
>
>> As you stated you are using Norton...
>
> He did not state that he was using Norton:
>
> "...the attachment was scanned by
> Norton AV service provided by Yahoo Mail."
>
> I constantly see attachments get through the Yahoo! Mail virus scanner.
> There is nothing the user can do about it.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint

Edwaleni
07-09-2005, 11:53 PM
Thanks to all for your comments and suggestions.

As one who has faced this stuff for years, it is long gone. I only posted
here to let the community know it was floating around. I have used AV
products since 1991 and am well protected from viral, malware and social
attacks such as this.

"Bigbruva" wrote:

> Good point I had missed that, however the local AV scanner should catch the
> ones that get past the Yahoo Web service.
> Edwaleni, if you do not have a local AV scanner then please look into
> getting one ASAP
>
> Have a look here for a list of free trials you can used to select your
> favorite
> http://www.microsoft.com/athome/security/downloads/default.mspx
>
> You could also look at some of the free ones (for Home use) that are
> available from:
>
> http://www.avast.com/eng/down_home.html
>
> or
>
> http://free.grisoft.com/doc/2/lng/us/tpl/v5
>
> Good luck
>
> BB
>
> "N. Miller" <anonymous@discussions.microsoft.com> wrote in message
> news:jsd9918ry36e$.dlg@discussions.microsoft.com...
> > On Wed, 1 Jun 2005 11:00:24 -0700, Bigbruva wrote:
> >
> >> As you stated you are using Norton...
> >
> > He did not state that he was using Norton:
> >
> > "...the attachment was scanned by
> > Norton AV service provided by Yahoo Mail."
> >
> > I constantly see attachments get through the Yahoo! Mail virus scanner.
> > There is nothing the user can do about it.
> >
> > --
> > Norman
> > ~Win dain a lotica, En vai tu ri, Si lo ta
> > ~Fin dein a loluca, En dragu a sei lain
> > ~Vi fa-ru les shutai am, En riga-lint
>
>
>


New MS Security Phish