Mailing Service Email Scam

20/10/2009: A new email scam is becoming very prevalent at this time. The emails suggest you follow a link because your email service has been updated and you need to apply the settings. Details are below.

If you receive any of these emails, just delete them – do not click on the link.

23/10/2009 Update: There are now many other scam emails following the same basic formula and becoming very prevalent in their own right. In particular a message pretending to be from “Microsoft Update Centre” with subject line suggesting an update to Microsoft Outlook. Once again the link appears to go to microsoft.com, but checking the code will show a location similar to those in the example below. Microsoft would not write to you in this manner and they probably wouldn’t have your email address anyway, unless you signed up to something in particular. Do not follow the links in these emails.

If you are a client and have any questions regarding anything here, please do not hesitate to contact us.

 


Scam Email Details:

Subject Line

The subject line varies, but will be something like these examples:

  • The settings for the yourname@yourdomain.tld mailbox were changed
  • A new settings file for the yourname@yourdomain.tld
  • For the owner of the yourname@yourdomain.tld mailbox

Subject line examples for the Microsoft Outlook update scam message:

  • Microsoft Outlook Update
  • Microsoft Outlook Critical Update
  • Critical Update for Microsoft Outlook
  • Microsoft has released an update for Microsoft Outlook

 

Message Content

The Mailing Service scam message body content is always the same:

 

Dear user of the athenaeum.co.uk mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (yourname@yourdomain.tld) settings were changed In order to apply the new set of settings click on the following link:

http://yourdomain.tld/owa/service_directory/settings.php? email=yourname@yourdomain.tld&from=yourdomain.tld &fromname=yourname

Best regards, yourdomain.tld Technical Support.

 

Message body example for Microsoft Outlook update scam:

 

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest level of security and stability.

Instructions

  • To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:

http://update.microsoft.com/microsoftofficeupdate/KB910737/
default.aspx?ln=en-us&email=yourname@yourdomain.tld
&id=189498373959390202939249578492030945845900239

Quick Details

  • File Name: officexp-KB910721-FullFile-ENU.exe
  • Version: 1.5
  • Date Published: Fri, 23 Oct 2009 10:31:33 +0100
  • Language: English
  • File Size: 100 KB

System Requirements

  • Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
  • This update applies to the following product: Microsoft Outlook / Outlook Express

 

About the links

If you check, you will find it does not go to your domain (or microsoft.com in the case of the Outlook scam), it actually goes somewhere like this:

  • http://yourdomain.tld.ttl1lil.net/owa…
  • http://yourdomain.tld.ffffefvi.co.uk/owa…
  • http://yourdomain.tld.ttl1lll.net/owa…
  • http://update.microsoft.com.n111saq.eu/…
  • http://update.microsoft.com.bbttyap.me.uk/…
  • http://update.microsoft.com.ujihkoi.eu/…

 

These are subdomains created with your domain name (or update.microsoft.com) as the sub-domain but actually viewing a page on a web server running the ttl1lll.net (or whichever) domain.

The top three above examples are apparently registered in Sao Paulo & Tokyo but the IP address of the web servers point to Korea, Thailand, Spain and others, but mainly Korea.

This entry was posted in Security News and tagged , , . Bookmark the permalink.

Comments are closed.