Alert

FAKE Microsoft Service Agreement Email Phish

Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish

From SANS ISC:

Published: 2012-09-01,
Last Updated: 2012-09-01 01:22:41 UTC
by Russ McRee

Thanks to Susan Bradley for reporting this to ISC.

We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.

The legitimate version of this email is specific to a services agreement seen here, per a change to Microsoft services as of 27 AUG.

The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.

I'll walk you though the full sample set I analyzed. Susan sent us an email including the following header snippet:

Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender.com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166

A legitimate header snippet:

Received: from smtpi.msn.com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)

101.5.162.236 is in China, 65.55.52.232 is Microsoft.

The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK, which points to the above mentioned services agreement.

Obfuscated to protect the innocent: The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post.

Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:034:034:02:065:071:034"/></applet>

The VirusTotal link for Leh.jar is here, and the VirusTotal link for the Zeus variant offered is here.

Recommendations:

1. Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
2. Contemplate disabling Java until the next update is released.
3. Review email headers if in doubt for messages you receive that seem suspicious.
4. Keep your antimalware signatures up to date. While limited at the moment, detection for both the Java exploit and the Zeus variant is increasing.

See: http://isc.sans.edu/diary.html?storyid=14020
Discussion is locked
Follow
Reply to: FAKE Microsoft Service Agreement Email Phish
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: FAKE Microsoft Service Agreement Email Phish
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
New Java 0-day added to Blackhole Exploit Kit

The Websense post regarding the Blackhole Exploit Kit, as referenced above by the ISC:

August 28, 2012

Earlier today we blogged about a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole.

Here's a snippet of the updated Blackhole code: [Screenshot]

The Pre.jar file (VirusTotal link) will use the new vulnerability to install the malware (VirusTotal link) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report. [Screenshot]

Technically the new vulnerability is actually two separate vulnerabilities. A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post.

http://community.websense.com/blogs/securitylabs/archive/2012/08/28/new-java-0-day-added-to-blackhole-exploit-kit.aspx

- Collapse -
Microsoft Services Agreement

Below is part of the Microsoft Services Agreement. The remainder can be read at the below link. I'm posting this with the hopes there should now be no need to try to decipher which emails are fake and which are real, when it can be read in full here

* * * * * * * * * * * * * * * * * *

Updated August 27, 2012
Effective September 27, 2012

IF YOU LIVE IN THE UNITED STATES, SECTION 10 CONTAINS A BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER. IT AFFECTS YOUR RIGHTS ABOUT HOW TO RESOLVE ANY DISPUTE WITH MICROSOFT. PLEASE READ IT.

Thank you for choosing Microsoft!

This is an agreement between you and Microsoft Corporation (or based on where you live one of its affiliates) that describes your rights to use the software and services identified in section 1.1. For your convenience, we have phrased some of the terms of this agreement in a question and answer format. You should review the entire agreement because all of the terms are important and together create a legal agreement, once accepted by you, that applies to you.

1. Scope of agreement, acceptance, and changes

1.1. What services are covered by this agreement? This agreement applies to Microsoft Hotmail, Microsoft SkyDrive, Microsoft account, Windows Live Messenger, Microsoft Photo Gallery, Microsoft Movie Maker, Microsoft Mail Desktop, Microsoft Writer (the foregoing are collectively referred to as the "Microsoft branded services"), Bing, MSN, Office.com, and any other software, website, or service that links to this agreement (collectively the "services").

1.2. What terms must I abide by when using the services? Our goal is to create a safer and more secure environment and therefore we require that, when using the services, users abide by these terms, the Microsoft Anti-Spam Policy (http://go.microsoft.com/fwlink/?LinkId=117951) and the Microsoft Code of Conduct (http://g.live.com/0ELHP_MEREN/243), which are incorporated into this agreement by this reference (the "agreement").

1.3. How do I accept this agreement? By using or accessing the services, or by agreeing to these terms where the option is made available to you in the user interface, you agree to abide by this agreement without modification by you. If you do not agree, you may not use the services.

1.4. Can Microsoft change these terms after I have accepted them? Yes. From time to time, Microsoft may change or amend these terms. If we do, we will notify you, either through the user interface, in an email notification, or through other reasonable means. Your use of the services after the date the change becomes effective will be your consent to the changed terms. If you do not agree to the changes, you must stop using the services and cancel any paid services by following the instructions in section 9.10. Otherwise, the new terms will apply to you.

1.5. What types of changes can I expect to the services? We continuously work to improve the services and may change the services at any time. Additionally, there are reasons why Microsoft may stop providing portions of the services, including (without limitation) that it's no longer feasible for us to provide it, the technology advances, customer feedback indicates a change is needed, or external issues arise that make it imprudent or impractical to continue. We may release the services or their features in beta version, which may not work correctly or in the same way the final version may work.

Continued : http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement

CNET Forums