A Dangerous E-Mail
I get a lot of SPAM. I know, I know, everyone does, you say. But I own and host a few domains and that tends to make it worse. Today, I received an e-mail that stood out from the usual SPAM. You may get it too and while reading it is not a problem, you should absolutely not run the attached program.
And here it is. This e-mail sure looks like an official message from Microsoft, right down to From: address – microsoft.com. It’s not, of course, but there are very few indications of why not in the message itself. As I read through it, I was thinking it was a notification to run Windows Updates due to some very acute security problem. But that impression changed rather quickly. There’s way too much wrong with this letter for it to be legitimate. Let’s see what a few of those things are.
- Grammer. This is always a red-flag. There are lots of little grammer problems in the message, like, “…recently issues a Security Update for OS Microsoft Windows.”
- It’s Microsoft Corporation, not Microsoft Software or Microsoft Company
- The last line, “We apologize for any inconvenience this back order may be causing you,” doesn’t make any sense
On the other hand, it has a number of hallmarks of an official message:
- The display information looks like it really came from Microsoft
- A rather official looking PGP signature
- A file attachment, KB418336.exe that looks just like a real Windows Update filename.
It’s a fake, let there be no doubt, and while I don’t know what would happen if you ran the executable attached to the e-mail, I can pretty much guarantee it’s not going to fix any security problems – only introduce new ones. The real proof can be found if you look in the actual mail headers. There you can see that this didn’t actually come from Microsoft.
Return-Path: <636S64@hotmail.com> Received: from pc-home.suninternet.md (unknown [220.127.116.11]) by smtp.owczarek.com (Postfix) with ESMTP id 264AAFDC058 for <emailaddressremoved>; Tue, 14 Oct 2008 00:54:56 -0400 (EDT) Received: from [18.104.22.168] by mx2.hotmail.com; Tue, 14 Oct 2008 06:59:16 +0200
But don’t be fooled into thinking that someone is doing this from hotmail – that’s a red herring. The received headers don’t match up properly. If it were received by mx2.hotmail.com, how did it magically get to pc-home.suninternet.md? It didn’t. The bottom received line is forged.
Just to be clear, never, ever run an executable file you receive attached to an e-mail like this. Especially if the e-mail was unsolicited.