Hotfix/phishing spam

[Alex <my...@gmail.com>]

Hi,

We had users reporting receiving an email that appears to be from Microsoft
regarding a hotfix, but it appears to actually contain Microsoft hotfix
info with a URI to download an executable. The executable is a zip that
contains a MSU (Windows6.1-KB977307-x64.msu). Does MS send such email?

http://pastebin.com/BS5jt86N

This one hits a lot of T_ rules; it'd be nice if they were real rules about
now :-)

It also hit BAYES_00, which I'm a little concerned about, but maybe not
necessarily if the body is indeed actually legit...

Thanks for any ideas.
Alex

RE: Hotfix/phishing spam

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2014-08-14 at 19:37 -0500, John Traweek CCNA, Sec+ wrote:
> Usually an end user has to request the hotfix and fill out a form on
> the MS site and then MS will send out an email with the URI.

Pardon my ignorance, but... WHY!?

Why would anyone require filling out a web form, to send an automated
email with a link as response? Why not simply, you know, put the link in
the page the user gets in return after sending that completed form
anyway?

Using an email message as response to an HTTP GET or POST request to
transfer a http(s) URI is beyond clusterfuck.


(Yes, I do realize you merely described what MS does, and you're not
responsible for their lame process.)


> So to answer your question, yes, MS does send out emails with
> hotfixes, but only when an end user requests it, at least in my
> experience… 
> 
> If the end user did not specifically fill out a form/request the hot
> fix, then I would be very suspicious…


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Hotfix/phishing spam

[Alex <my...@gmail.com>]

Hi,

>> That's a really good question.
>>
>> Perhaps it was a malware attempt and the attacker forgot to replace the
valid MSFT URL with their own URL...
>
> This isn't the first time I've seen ratware malfunction. Other possibility
> some scammer test-driving a shiny new toy but wants to first test it out
with
> out drawing attention to himself, so doesn't do a live-fire test.
> IE wants to fine-tune the deliverability before the live-fire pass.

That makes perfect sense. Should have totally thought of that myself.

Thanks,
Alex

Re: Hotfix/phishing spam

[David B Funk <db...@engineering.uiowa.edu>]

On Thu, 14 Aug 2014, John Hardin wrote:

> On Thu, 14 Aug 2014, Alex wrote:
>
>>> Microsoft outsourcing their tech-support that badly? I don't think so.
>> 
>> Right, that was my point. The sender is not one of my trusted users, yet
>> the link in the body seems legit.
>> 
>> So what's the point of this spam? Just a misconfigured machine somehow?
>
> That's a really good question.
>
> Perhaps it was a malware attempt and the attacker forgot to replace the valid 
> MSFT URL with their own URL...
>

This isn't the first time I've seen ratware malfunction. Other possibility
some scammer test-driving a shiny new toy but wants to first test it out with
out drawing attention to himself, so doesn't do a live-fire test.
IE wants to fine-tune the deliverability before the live-fire pass.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Hotfix/phishing spam

[Alex <my...@gmail.com>]

Hi,


Microsoft outsourcing their tech-support that badly? I don't think so.
>>>
>>
>> Right, that was my point. The sender is not one of my trusted users, yet
>> the link in the body seems legit.
>>
>> So what's the point of this spam? Just a misconfigured machine somehow?
>>
>
> That's a really good question.
>
> Perhaps it was a malware attempt and the attacker forgot to replace the
> valid MSFT URL with their own URL...
>

Awesome, thanks John. So I wasn't missing some obvious new technique or
something...

Thanks,
Alex

Re: Hotfix/phishing spam

[John Hardin <jh...@impsec.org>]

On Thu, 14 Aug 2014, Alex wrote:

> Hi,
>
>> But when they do I doubt that they do it via Yahoo from somebody in
> Bangladesh.
>> Looking at the headers in that pastbin example, the originating IP is
>> 114.31.4.36 which looks like it's from a cyber-cafe in Bangladesh.
>>
>> Microsoft outsourcing their tech-support that badly? I don't think so.
>
> Right, that was my point. The sender is not one of my trusted users, yet
> the link in the body seems legit.
>
> So what's the point of this spam? Just a misconfigured machine somehow?

That's a really good question.

Perhaps it was a malware attempt and the attacker forgot to replace the 
valid MSFT URL with their own URL...


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   If guards and searches and metal detectors can't keep a gun out of
   a maximum-security solitary confinement prisoner's cell, how will
   a disciplinary policy and some signs keep guns out of a university?
-----------------------------------------------------------------------
  Tomorrow: the 69th anniversary of the end of World War II

Re: Hotfix/phishing spam

[Alex <my...@gmail.com>]

Hi,

> But when they do I doubt that they do it via Yahoo from somebody in
Bangladesh.
> Looking at the headers in that pastbin example, the originating IP is
> 114.31.4.36 which looks like it's from a cyber-cafe in Bangladesh.
>
> Microsoft outsourcing their tech-support that badly? I don't think so.

Right, that was my point. The sender is not one of my trusted users, yet
the link in the body seems legit.

So what's the point of this spam? Just a misconfigured machine somehow?

Thanks,
Alex

RE: Hotfix/phishing spam

[David B Funk <db...@engineering.uiowa.edu>]

But when they do I doubt that they do it via Yahoo from somebody in Bangladesh.
Looking at the headers in that pastbin example, the originating IP is
114.31.4.36 which looks like it's from a cyber-cafe in Bangladesh.

Microsoft outsourcing their tech-support that badly? I don't think so.

On Thu, 14 Aug 2014, John Traweek CCNA, Sec+ wrote:

> Usually an end user has to request the hotfix and fill out a form on the MS site and then MS will send out an email with the URI.  So to answer your
> question, yes, MS does send out emails with hotfixes, but only when an end user requests it, at least in my experience…
> 
> If the end user did not specifically fill out a form/request the hot fix, then I would be very suspicious…
> 
> From: Alex [mailto:mysqlstudent@gmail.com]
> Sent: Thursday, August 14, 2014 7:22 PM
> To: SA Mailing list
> Subject: Hotfix/phishing spam
> 
>  
> 
> Hi,
> 
> We had users reporting receiving an email that appears to be from Microsoft regarding a hotfix, but it appears to actually contain Microsoft hotfix
> info with a URI to download an executable. The executable is a zip that contains a MSU (Windows6.1-KB977307-x64.msu). Does MS send such email?
> 
> http://pastebin.com/BS5jt86N
> 
> This one hits a lot of T_ rules; it'd be nice if they were real rules about now :-)
> 
> It also hit BAYES_00, which I'm a little concerned about, but maybe not necessarily if the body is indeed actually legit...
> 
> Thanks for any ideas.
> Alex

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

RE: Hotfix/phishing spam

["John Traweek CCNA, Sec+" <jo...@publishingconcepts.com>]

Usually an end user has to request the hotfix and fill out a form on the MS site and then MS will send out an email with the URI.  So to answer your question, yes, MS does send out emails with hotfixes, but only when an end user requests it, at least in my experience…

 

If the end user did not specifically fill out a form/request the hot fix, then I would be very suspicious…

 

From: Alex [mailto:mysqlstudent@gmail.com] 
Sent: Thursday, August 14, 2014 7:22 PM
To: SA Mailing list
Subject: Hotfix/phishing spam

 

Hi,

We had users reporting receiving an email that appears to be from Microsoft regarding a hotfix, but it appears to actually contain Microsoft hotfix info with a URI to download an executable. The executable is a zip that contains a MSU (Windows6.1-KB977307-x64.msu). Does MS send such email?

http://pastebin.com/BS5jt86N

This one hits a lot of T_ rules; it'd be nice if they were real rules about now :-)

It also hit BAYES_00, which I'm a little concerned about, but maybe not necessarily if the body is indeed actually legit...

Thanks for any ideas.
Alex



________________________________


John Traweek CCNA, Sec+
Executive Director, Information Technology
Proud PCI Associate for 17 years
PCI: the data company

________________________________


Heritage Square . 4835 LBJ Freeway, Suite 1100 . Dallas, TX  75244 . 214.530.0394

Did you know last year, PCI raised over 9 million dollars in donations for our clients? Ask us how!

This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. Sections 2510-2521 and is legally privileged. The information contained in this Email is intended only for . If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distributions or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us by telephone 1.800.395.4724 X160, and destroy the original message.