Security vendor Sophos said that the
scammers have constructed spam messages which claim to originate from
the privacy@microsoft.com email address. The messages, which are
designed to resemble official alerts from Microsoft, advise users that
their systems might be at risk and advises visiting a supposed "update"
page.
Upon clicking the link, however, users
are directed to a phishing site which attempts to harvest email
addresses for webmail services including Gmail and AOL mail.
"At first glance, if you don't look too carefully, the emails entitled 'Microsoft Windows Update' may appear harmless enough," wrote Sophos senior technology consultant Graham Cluley.
"But the grammatical errors and
occasional odd language should raise alarms bells that the emails may
not really be from Microsoft."
The phishing attack could prove particularly effective as it arrives amid the rollout of a critical security patch
from the Microsoft. The out-of-band update, posted by the company on
Friday, addresses a high-profile vulnerability in the 32-bit Windows XP
versions of Internet Explorer 7 and 8. More recent versions of the
browser and operating system are not considered to be vulnerable.
The flaw, which is triggered by way of an
infected .swf file, had been exploited by attackers to perform covert
malware installations.
While Microsoft has said that the scope
of the attacks is "extremely limited," security experts and government
agencies have gone so far as to advise users to consider the use of third-party web browsers on unpatched systems.
No comments:
Post a Comment