Researchers warn of bogus Microsoft patch spam

Users are being warned of a new phishing scam falsely telling recipients they need to download a Microsoft patch.

SANS Internet Storm Center handler Donald Smith has written on the organisation's blog that several readers reported receiving emails, from four different domains, claiming to be from Microsoft.

The emails - some of which include the recipient's full name and the company they work for in the letter body - inform recipients that they must download a fix to address a zero-day vulnerability affecting Outlook, according to one of the messages posted on the SANS site.

The email, which contains some misspellings, tells the user that if exploited, the flaw can "take full control of the vulnerable computer if the exploitation process is succesfull (sic)." It attempts to dupe users into visiting a site that appears like a legitimate Microsoft page.

A Microsoft spokesman told SCMagazine.com today that users should verify a site's certificate to ensure they are at a legitimate site.

"Spoofing attacks are commonly used in conjunction with phishing," the spokesman said.

Several anti-virus companies identified the malicious emails as containing a trojan downloader.

Earlier this month, researchers warned of an email campaign issuing bogus Microsoft security advisories, which contained a malicious executable that installed a browser add-on to the victim's PC.