14 DAY TRIAL // In most cases, when they try to make up their own text for malware-spreading campaigns, cybercriminals fail because most of the messages they write are full of typos and words that wouldn’t be used by a legitimate company. To address these issues, spammers have started copying genuine notifications.
A perfect example is provided by Sophos researchers who have identified a series of emails which purport to announce “important changes to Microsoft Services Agreement.”
Here’s a small part of the email:
We've updated the Microsoft Services Agreement , which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN, Office.com, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop and Windows Writer.
Please read over the new Microsoft Services Agreement in the attached file to familiarise yourself with the changes we've made.
The message is legitimate, the Redmond company sending it out to customers at the end of August. However, unlike the genuine alert, the one sent out by cybercriminals also contains an attachment called Microsoft-Services-Agreement.pdf.exe. On operating systems where file extensions are not displayed, it may appear as an innocent PDF file, but in reality, this is an executable which embeds itself as a Trojan - Troj/Backdr-HG - in the system’s registries to ensure that it’s automatically run each time the computer is started.
We advise Internet users to be careful when opening such emails. Although they seem legitimate and bear all sorts of trustworthy logos and company names, they can hide a nasty piece of malware.
Particularly, beware of .exe files attached to emails. They may represent the only difference between a real and a fake message, but if you fail to notice it, you could soon end up with an infected computer.