Fraudsters Copy Legitimate Microsoft Email Days Later in Phishing Scam

Phishing scams can often be convincing, and a recent case of a phishing campaign emulating a legitimate Microsoft email about changes to their Services Agreements just days after the real emails were sent out underscores how quick fraudsters are able to adapt and capitalize on opportunities to deceive consumers.


On August 27th Microsoft sent a legitimate email to many users of Hotmail and other Microsoft web services about changes to their Services Agreement. On September 1st phishing emails that copy the text and format of this email were reported, only the links in the phishing emails directed to sites that installed malware rather than a copy of the new Services Agreement. If visited, the malicious sites linked in the phishing campaign will attempt to execute a Zeus variant malware that has so far realized a high success rate by exploiting vulnerabilities in Java 7 that were only recently patched. But according to a Polish security form, Security Explorations, even this patch could be circumvented and the malware could still be installed.


The Zeus variant malware kit, known as the Blackhole Exploit Kit, can be purchased by fraudsters in the black market and was recently updated to exploit the Java vulnerability. The malware is effective because by exploiting vulnerabilities in web browser plug-ins, such as Flash or Java, it is often able to execute the malware without user approval or interaction. Additionally, the Java applet used in the attack has a low detection rate with only 8 of 42 antivirus screening engines detecting it.


This Blackhole malware and Java exploit has been used in other recent phishing campaigns, but the notice of update to Microsoft’s Services Agreements for Hotmail and other services provided an opportunity for fraudsters to impersonate Microsoft with a convincing and timely phishing attack. Microsoft posted an explanation on their Q&A forums that there are both legitimate and scam emails circulating while providing tips on how to differentiate the two, and with the Java vulnerabilities being exploited by malware multiple security firms and professionals have recommended consumers temporarily disable Java to protect themselves. But Hotmail users, who are more likely to be targeted by and be duped by the phishing campaign, must have Java enabled to log-in when accessing their Hotmail account through the web browser.

For more information:


Attacks on Java security hole hidden in bogus Microsoft Services Agreement email


Rogue Microsoft Services Agreement phishing emails lead to latest Java exploit