Computer users are warned about a widespread attempt to infect e-mail recipients by sending a warning about a bogus Microsoft security patch.
The e-mails, which have the subject line "Microsoft Security Bulletin MS07-0065" pretend to come from Microsoft, and claim that a zero-day vulnerability has been discovered in the Microsoft Outlook email program. They go on to warn recipients that "more than 100,000 machines" have been exploited via the vulnerability, in order to promote medications such as Viagra and Cialis.
The phoney e-mail encourages users to download a patch, claiming that it will fix the problem and prevent them from being attacked by hackers. However, clicking on the link contained inside the email does not take computer users to Microsoft's website, but instead to one of many compromised websites hosting a Trojan horse.
"It doesn’t come as a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs as security bulletins from Microsoft describing vulnerabilities in their software are a common occurrence," says Brett Myroff, CEO of master Sophos distributor, NetXactics.
"It is, however ironic that as awareness of computer security issues and the need for patching against vulnerabilities have risen, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public."
In examples seen by Sophos experts, the e-mails have correctly displayed the recipient's full name, and the company they work for, in an attempt to lure users in.
By using people's real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap.
"Users need to guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions.
"They should also ensure that they are downloading Microsoft security updates from Microsoft itself and not from any other website," says Myroff.