Anatomy of a Scam Email

A little while ago I received warnings on a couple of mailing lists of a new email scam claiming to be from Microsoft. There was some suggestion that this particular scam was well structured and more convincing than most, although everyday experience tells us that phishing emails don’t have to be very convincing at all to get passwords (or whatever) out of some computer users.


This is an example of the message that’s going round. It links to a MSI file that you should install “in order to keep your computer and data safe” – I’ve broken up the URL so that nobody clicks on it by accident – it’s malware that wasn’t detected by all anti-virus packages at the time.


From: Microsoft <updates@mcrsoft.com>
Subject: Attention: Microsoft Office
To: Recipients <updates@mcrsoft.com>

Dear Microsoft Office user, through our annonymous statistical
information collection system built into all Microsoft Office
products, we have detected that your system is currently lacking 3
critical Office patches. These patches are for Microsoft Word,
Microsoft PowerPoint and Microsoft Outlook, in order to keep your
computer and data safe we urge you to go to
Microsoft Download Center and download the Microsoft Office Critical Update
Pack available on our website.

You can do this by searching for the patch on our website or
directly at:

http dot slash slash fileserver dot updateservermicrosoft dot net/MS00285913/CriticalUpdates/

Sincerely,

Microsoft Office Support
Cardinal Place
80-100 Victoria Street 
London
SW1E 5JL


Now, there are a bunch of reasons why you are too clever to be caught out by this. You’ve already seen a bunch of them, haven’t you? You wouldn’t be foolish enough to fall for this, I know. But let’s break it down just for fun anyway…


First up are the email addresses in the header. That’s obviously not how you spell Microsoft, and Microsoft haven’t run out of addresses @microsoft.com, so they wouldn’t be using anything else. The trouble here is that this could potentially be much worse. Email is horrendously insecure and it’s very simple to send an email that looks like it comes from absolutely any address whatsoever.


Some systems won’t relay email from addresses without verifying the sender is who they say they are, and some systems won’t accept email pertaining to be from some address if it didn’t originate from a server that’s designated as part of the DNS domain. Frankly though, there are loads of systems that are wide open, so you can pretty much assume that the address that an email comes from isn’t proof that it came from that person/organisation.


The next thing that is often part of a scam email is bad speeling or grammar. This one is better than most, but even if I haven’t screwed up the line breaks (which I may have – I didn’t receive the message first-hand), this bit is suspect:


Dear Microsoft Office user, through…


You’d expect a line break after the comma there, which may have been in the original message – if this really was from Microsoft it would’ve been there, and if there was a line break “through” would be capitalised.


The next bit is the one that I would expect more people to miss:


through our annonymous statistical information collection system built into all Microsoft Office products, we have detected that your system…


Now some Microsoft products do optionally collect anonymous user data to feed back into their development cycle, so that’s plausible, right?


The key thing here is that word “annonymous” (which is spelt incorrectly, but that’s only part of the point). If the data is anonymous, how would they know that it was your system, or know your email address to warn you about it?


They wouldn’t. Nobody will ever be able to contact you with a targeted message based on anonymous data. That’s just nonsensical.


Other stuff that should ring alarm bells, although there require a bit of background knowledge…


Microsoft delivers critical patches via Windows Update. If they needed you to apply a critical patch, they’d simply direct you to Windows Update, or at the very least a page on microsoft.com.


The physical address is Microsoft’s London office, so at least the scammer went to the trouble to check that out. However, they didn’t bother to find out what Microsoft does there. A quick seach would have uncovered this: “Our London office primarily serves the MSN and Xbox teams, although the ground floor is set up for hot-desking to ensure that any of our employees can work from this office when they are in London.” Critically, it doesn’t include Microsoft Office Support.


The scammers are getting better, but they need to try much harder if they’re going to fool anyone with a decent dose of both scepticism and common sense (unfortunately there are too many people lacking one or both of those).