With users and administrators around the world scrambling to patch a zero-day flaw in Internet Explorer, cyber criminals have launched a new scam targeting Windows Update.
Security vendor Sophos said that the scammers have constructed spam messages which claim to originate from the firstname.lastname@example.org email address. The messages, which are designed to resemble official alerts from Microsoft, advise users that their systems might be at risk and advises visiting a supposed “update” page.
Upon clicking the link, however, users are directed to a phishing site which attempts to harvest email addresses for webmail services including Gmail and AOL mail.
“At first glance, if you don’t look too carefully, the emails entitled ‘Microsoft Windows Update’ may appear harmless enough,” wrote Sophos senior technology consultant Graham Cluley.
“But the grammatical errors and occasional odd language should raise alarms bells that the emails may not really be from Microsoft.”
The phishing attack could prove particularly effective as it arrives amid the rollout of a critical security patch from the Microsoft. The out-of-band update, posted by the company on Friday, addresses a high-profile vulnerability in the 32-bit Windows XP versions of Internet Explorer 7 and 8. More recent versions of the browser and operating system are not considered to be vulnerable.
The flaw, which is triggered by way of an infected .swf file, had been exploited by attackers to perform covert malware installations.
While Microsoft has said that the scope of the attacks is “extremely limited,” security experts and government agencies have gone so far as to advise users to consider the use of third-party web browsers on unpatched systems.