Seemingly real Microsoft e-mail is spreading malware, be careful

Whether it be through Windows or its online services, Microsoft touches the lives of many, many people around the world on a daily basis. So when an e-mail from “Microsoft <servicenotification@email.microsoft.com>” with the subject of “Important Changes to Microsoft Services Agreement” magically appears in the inbox of many people, my guess is they are likely to open it. Then when that e-mail tells you to view an updated services agreement via the attached PDF file, my guess is many people will open it. The kicker? The just-referenced e-mail is not actually from Microsoft and the attached file is not actually a PDF — it is a malicious EXE (Microsoft-Services-Agreement.pdf.exe) that contains malware, a backdoor Trojan (Troj/Backdr-HG) to be more specific.

What makes this malicious e-mail particularly clever is not only does it spoof a real Microsoft e-mail but it uses a real subject line to draw people in and then presents them with legitimate text in the body of the e-mail — this exact same e-mail was sent out by Microsoft in August. The only difference is the legitimate Microsoft e-mail did not contain an attached file; rather, the real Microsoft e-mail directed users to read the new agreement on Microsoft’s website.

Update: It looks like Microsoft is still sending out the legitimate version of this e-mail. So if you get an e-mail from “Microsoft <servicenotification@email.microsoft.com>” with the subject of “Important Changes to Microsoft Services Agreement”, it may be a legitimate e-mail from Microsoft or it may not be. If the e-mail has an attachment, it is a malicious e-mail and you should *not* open the attachment. If there is a link in the e-mail, the e-mail is likely legitimate but you should double-check and make sure the link is leading you to Microsoft’s website (make sure the domain is microsoft.com) and not elsewhere.

[Thanks Merlin for the heads up.]

Of course if the spam filter used by your e-mail service provider is half competent, it will immediately notice the e-mail is fake due to the e-mail not being mailed by a Microsoft server and send it to your junk or spam box. (You can spoof the e-mail header but you cannot spoof a rDNS query; rDNS is one technique used by e-mail servers to detect fake e-mails.) However, if this e-mail does somehow end up in your inbox, do not open it. And if you do open it, do not download the attachment.

[via Sophos]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

16 comments

  1. ovl

    @Flowers ForA:

    Yep, I’m friendly and here is my friendly response.

    1). The term “North Germanic languages” is used in genetic linguistics, therefore, this is the correct term (not “Scandinavian language”), and, of course, Norwegian language is a North Germanic language spoken primarily in Norway.

    2). A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability, meaning that the attack occurs on “day zero” of awareness of the vulnerability. That’s why “Windows Security Essentials running along Avast!” (in your case) will not safe you from malware on this “A zero-day”. You did not get it as well as you do not get that two antivirus programs on the same machine are dangerous for any PC.

    3). “Perhaps it’s a Chinese dialect, like Cantonese?”.

    Chinese is not a dialect – it’s the language consisting of several dialects. Friendly people like you, should know that.

    4). “Mind you, there is a distinct difference between Flemish and Dutch”.

    Who argued here that Dutch is spoken in Netherlands and Flemish is spoken in Flanders, which is in Belgium. Why do you need to know that if you are specializing in “Scandinavian languages” and finally – “in the mean time”, you learned what the subject of your e-mail means.

    6). “Thanks for the tech advise anyway… I’ll make sure to create another couple of hours per day (on top of the 24 available) to track links or ping IP’s and show off.”

    You’re welcome, and it’ does not take a couple of hours to trace IP from the link – it takes a couple of seconds.

    7). “Still, is somewhat your last sentence ill constructed not – drawing attention to your superiour knowledge of foreign languages”.

    Control your grammar: “superior” – not “superiour”.

    8). “Your reply in Dutch or Flemish will be much appreciated.”

    I don’t think so, because the person who spends “a couple of hours per day to track links or ping IP”, will never learn these two difficult languages. Better improve your English spelling techniques.

    Have a wonderful day,
    Your friend in cyber space

  2. Flowers ForA

    @ovl:

    You’re really friendly,ovl, are you not?

    1. “Scandinavian language does not exist” : Plse. keep to the subject. BTW: “some Scandinavian language” does exist; I did not specify which…
    2. …”like does not exist a panacea from “A Zero-Day” vulnerabilities” : not a grammatically correct construction – as far as I know – and which you did not get from me.
    3. “Body of your e-mail came in Dutch language, but the Subject line “Viktige endringer i Microsofts tjenesteavtale” (which means “Important changes to the Microsoft service agreement”) came in Norwegian language” : a) whatever the body of the mail, the subject line put me on guard as it did many people; b) Norwegian is not a Scandinavian language? Plse fill me in. Perhaps it’s a Chinese dialect, like Cantonese? c) Mind you, there is a distinct difference between Flemish and Dutch – but you know all about that, don’t you? d) and in the mean time I learned what the subject means, but not thanks to you… I’m glad to say
    4. Thanks for the tech advise anyway… I’ll make sure to create another couple of hours per day (on top of the 24 available) to track links or ping IP’s and show off.
    5. Still, is somewhat your last sentence ill constructed not – drawing attention to your superiour knowledge of foreign languages? Your reply in Dutch or Flemish will be much appreciated..

    Have a nice day,
    Patrick.

  3. ovl

    @Flowers ForA:

    Body of your e-mail came in Dutch language, but the Subject line “Viktige endringer i Microsofts tjenesteavtale” (which means “Important changes to the Microsoft service agreement”) came in Norwegian language.

    The link in your e-mail: http://email.microsoft.com/Key-9909402.D.tglm.G.K.K.krq0X does not correspond with the legitimate link from Microsoft Corp.: http://email.microsoft.com/Key-9909402.D.Cc1gg.G.KK.nCjS6yM with connection to the real Microsoft Services Agreement.

    The link in your Dutch/Norwegian e-mail tracing to IP 157.55.150.73 and the host of this IP – is “microsoft.msn.com”, but this object does not exist on the Internet server.

    IP 157.55.150.73 is located in Kansas, not in Redmond, WA where Microsoft Corp is officially located. They have the phone number 1-425-882-8080, but that number is spamming for many years, so someone is spoofing this landline (the complaints about this suspicious number are here: http://800notes.com/Phone.aspx/1-425-882-8080). Some people received unsolicited fax from that number with Chinese symbols.

    It does not matter if the discussed phishing Microsoft e-mail has the attachment or only the phishing link(s), or it comes in mixed Dutch/Norwegian languages, a lot of things drawing attention to the same hackers.

  4. ovl

    @Flowers ForA:

    Scandinavian language does not exist like does not exist a panacea from “A Zero-Day” vulnerabilities. A new antidote always comes after a new poison.

    Body of your e-mail came in Dutch language, but the Subject line “Viktige endringer i Microsofts tjenesteavtale” (which means “Important changes to the Microsoft service agreement”) came in Norwegian language.

    The link in your e-mail: http://email.microsoft.com/Key-9909402.D.tglm.G.K.K.krq0X does not correspond with the legitimate link from Microsoft Corp.: http://email.microsoft.com/Key-9909402.D.Cc1gg.G.KK.nCjS6yM with connection to the real Microsoft Services Agreement.

    The link in your Dutch/Norwegian e-mail tracing to IP 157.55.150.73 and the host of this IP – is “microsoft.msn.com”, but this object does not exist on the Internet server.

    IP 157.55.150.73 is located in Kansas, not in Redmond, WA where Microsoft Corp is officially located. They have the phone 1-425-882-8080, but that number is spamming for many years, so someone is spoofing this landline (the complaints about this suspicious number are here: http://800notes.com/Phone.aspx/1-425-882-8080). Some people received unsolicited fax from that number with Chinese symbols.

    It does not matter if the discussed phishing Microsoft e-mail has the attachment or only the phishing link(s), or it comes in mixed Dutch/Norwegian languages, a lot of things drawing attention to the same hackers.

  5. Flowers ForA

    I received two versions on my Hotmail inbox (the Re. of one was in some Scandinavian language: Viktige endringer i Microsofts tjenesteavtale? -, the second the day before yesterday in plain English.
    I have Windows Security Essentials (running along Avast! Antivirus with dayly updates). Both mails were marked with a green shield. None contained any attachments.
    Before clicking the link in the first mail, I visited MS’s site first to check for any changes in their User Agreement to find out there actually are.
    I then checked the text that came with the link in the first mail against the one on MS’s site and foud them to be identical. The link with the first mail was http://email*microsoft*com/Key-9909402.D*tglm*G*KK*krq0X [asterixes were dots in original].
    I removed both mails anyway and let three malwarescanners loose on my whole machine. Those reported no mallware present… Not even a false positive :( [smiley’s meant jokingly!] Upto now I’ve not noticed any signs that something might be wrong anyway (e.g. slowed down computer, abnormal discactivity,..)
    So I guess I’m pretty safe – for the time being.
    However, if the first mail hadn’t had that strange heading I probably would have clicked through – in stead I informed most of my correspondents not to open anything until further notice.
    I’ll forward this here article to them now.
    Thanks!
    Patrick

  6. ovl

    The brief research of IP 101.5.162.236 brings you to the Campus of Tsinghua University in Beijing where this phishing campaign was originated. Btw, this educational facility is ranked amongst the best universities in China: Tsinghua alumni include the current Chinese president and the current Chinese vice president. Nice company for the hackers who are spreading a fresh version of Zeus Trojan with P2P techniques for initialization and with banking credentials as the primary target.

  7. naveed

    It’s not rocket science to know that exe files are executables. This scam is not very sophisticated and easy to spot, but still catches so many people.
    Hiding the file extensions in Windows is a big part of this problem. Also, that many people don’t know anything about extensions – obviously the first problem exacerbates this.

  8. Hamza

    Huh ! real companies never send emails with attachments, they only show the changes in the email or at their official sites.
    And what ?! is “Microsoft-Services-Agreement.pdf.exe” a PDF file? LOL, only blind people who can’t differentiate between a PDF file and an EXE !!!

  9. NickK

    That scared me, because I remember I received this email on 11 September and opened it on my Android. I was thinking I might just have to install an AV on my handset to run a scan. I went back to my hotmail to find this email in my deleted items and it didn’t have an attachment. It did have a link as mentioned by “sunrise”, therefore it seems to be a legit Microsoft email. Phew.

    Thanks for the heads up. I’ll look out for any illegitimate one’s.

    Keep up the good work.

  10. sunrise

    @ashraf : just inform you…Ms release the legitimate email regarding their changes of the agreement. but there is illegitimate email too….so people still need to be careful. Check the full message header..the real email will show you “Received: from smtpi.msn.com ([65.55.52.232])” (65.55.52.232 is Ms IP address) meanwhile the fake will show you “Received: from [101.5.162.236] ([101.5.162.236])” (this ip is coming from China) and please hover your mouse over the link..the link should like this “http://email.microsoft.com/Key-9853201.C.MDqt.C.KK.nGlJcL9″

  11. sunrise

    i got this email at sep 14. im not yet open the link but the email arrive at my work email inbox and since i just bought some license from Ms…i think this email is true. Fortunately…im a little busy to check hahaha

    thanks for the info bro