Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have warned of
a spammed email campaign which claims to be security advice from
Microsoft, but actually tries to encourage users to install a
keylogger onto their computers.
The spammed emails, which have the subject line "Microsoft
WinLogon Service - Vulnerability Issue" and purport to come from
patch@microsoft.com, claim that a vulnerability has been found "in
the Microsoft WinLogon Service" and could "allow a hacker to gain
access to an unpatched computer".
Recipients are advised to click on a link in the email to
download the patch. However, the link really points to a
non-Microsoft website and initiates the download of the Troj/BeastPWS-C Trojan
horse, which is capable of spying on the infected user and stealing
passwords.
The spam email claims to come from Microsoft,
and includes a malicious link.
When first installed the Trojan horse displays the following
bogus message
Microsoft WinLogon Service successfully patched.
but is secretly logging keystrokes and sending them to an email
address belonging to the hacker.
"People are slowly learning that Microsoft does not email out
security fixes as attachments, but they also need to learn to be
careful of blindly clicking on links to download fixes too without
checking that the email is legitimate," said Graham Cluley, senior
technology consultant at Sophos. "In this case, the hackers made a
mistake by referring to 'Microsoft Coorp' rather than 'Microsoft
Corp', but its possible that users would miss that typo in their
rush to protect themselves."
Sophos recommends that users visit Microsoft's website at
www.microsoft.com/security for
information about Microsoft security patches.
"The hackers are playing a dangerous game, because if Microsoft
finds out who is responsible for besmirching their name in this way
they are likely to throw the full force of the law at them,"
continued Cluley. "Security is becoming a hot topic for the
software giant, and they don't want malware and spam to sully the
company's public image through this kind of criminal activity."
Sophos has been protecting against the Troj/BeastPWS-C Trojan
horse since 12:28 GMT, Monday 29 May and has automatically updated
customers.
Sophos advises that companies put in place a consolidated solution to defend against viruses,
spyware and spam, and ensure that it is automatically updated as
new threats emerge.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.