how to report hack scam to Microsoft?

[Igor]

How can I report a hack scam to MS involving its website?

I received an e-mail that says I need to do a Windows security update.
Unlike the other bogus e-mails like this I have received, this one did not
have an attachment.. Instead, it has links that are disguised. I do not
understand exactly how the bad guy is trying to hurt me, but my firewall
tells me strange things just when I try to copy and paste one of the
apparent MS webpage links -- http://email.microsoft.com/m/s.asp., which is
followed by a ? and then a char string. Specifically, just by trying to
paste the link into an e-mail in NS mail the firewall lights up and stops a
comm from 64.246.28.73 : 62811 on port 2282. I traced that to an ISP in
Texas but they want to know everything about me, my IP address, my system,
etc., to take a report and I am not inclined to do that.

The pages at the links look just like the MS webpages -- and, I think they
are, but there must be some overarching control being exerted by the
hacker.

Anyway, rather than me trying to work through this with the ISP (assuming I
have identified it correctly), how can I report it to MS? I would think
that they might be interested, but they certainly do not make contact info
easy to come by. Thanks.

 

[Brian A.]

Igor,
Microsoft is aware of emails that are sent using their name. MS also never sends an
email for any updates/patches, all updates/patches can be acquired from their update
site. All of these emails carry some type of virus and if you clicked on the links to
see the pages, you should run a full system scan with up to date virus defs.



--


Brian A.

Jack of all trades, Master of none. One can never truly be a master as there is
always more to learn.

 

[GSV Three Minds in a Can]

How can I report a hack scam to MS involving its website?

MS are totally aware of this, as a quick rummage through their website
would reveal. Use spamcop to nail the source.

 

[Sugien]

Igor,
Microsoft is aware of emails that are sent using their name. MS also never sends an
email for any updates/patches, all updates/patches can be acquired from their update
site. All of these emails carry some type of virus and if you clicked on the links to
see the pages, you should run a full system scan with up to date virus defs.

Not completely or exactly true. It is true that M$ never sends any
updates or patches via an attachment it is NOT always true that they don't
send and email pointing the user to an update on their page. You can
subscribe to the M$ security warning page or some such name I forget the
exact name for it; but they will then send you an email warning you of any
security problems or anything you need be made aware of; but it will only be
an email and will NOT have any attachments. It will however contain a link
to a legitimate M$ page which has the update or patch you need.
If however a person has OE/O set up to read all email at text only you
will still see the paper clip attachment even if there is no actual
attachment; because of the email containing html stationary. When you are
set up to read as text only any html is sent along as an attachment.
I guess I could be wrong and in the light of the recent bum rush of
bogus M$ emails with attachments, that maybe M$ has stopped sending out
their regular warning to corporate and other users that have subscribed to
their security and update email list; but if they have it is news to me;
because I use to be on that list; but have since had myself removed from it;
because I figure the best person to rely on for my systems security is me;
because I have a vested interest in keeping it bug/hole/virus/malware free.

 

[Brian A.]

Sugien,
I will not argue the point that you can request MS to send you info, updates and
patches. However, if the OP did not do this and he is getting emails claiming to be
from them, then he best beware of the implications of opening them and following
anything contained within. AFAIK the OP never subscribed because he never mentioned
it.

--


Brian A.

Jack of all trades, Master of none. One can never truly be a master as there is
always more to learn.

Igor,
Microsoft is aware of emails that are sent using their name. MS also never sends an
email for any updates/patches, all updates/patches can be acquired from their update
site. All of these emails carry some type of virus and if you clicked on the links to
see the pages, you should run a full system scan with up to date virus defs.

Not completely or exactly true. It is true that M$ never sends any
updates or patches via an attachment it is NOT always true that they don't
send and email pointing the user to an update on their page. You can
subscribe to the M$ security warning page or some such name I forget the
exact name for it; but they will then send you an email warning you of any
security problems or anything you need be made aware of; but it will only be
an email and will NOT have any attachments. It will however contain a link
to a legitimate M$ page which has the update or patch you need.
If however a person has OE/O set up to read all email at text only you
will still see the paper clip attachment even if there is no actual
attachment; because of the email containing html stationary. When you are
set up to read as text only any html is sent along as an attachment.
I guess I could be wrong and in the light of the recent bum rush of
bogus M$ emails with attachments, that maybe M$ has stopped sending out
their regular warning to corporate and other users that have subscribed to
their security and update email list; but if they have it is news to me;
because I use to be on that list; but have since had myself removed from it;
because I figure the best person to rely on for my systems security is me;
because I have a vested interest in keeping it bug/hole/virus/malware free.


--
/}
@###{ ]::::::::::ino-Soft Software::::::::::::>
\}
Live WebCam http://www.dino-soft.org/cam

 

[Sugien]

Sugien,
I will not argue the point that you can request MS to send you info, updates and
patches. However, if the OP did not do this and he is getting emails claiming to be
from them, then he best beware of the implications of opening them and following
anything contained within. AFAIK the OP never subscribed because he never mentioned
it.

--


Brian A.

Jack of all trades, Master of none. One can never truly be a master as there is
always more to learn.

Igor,
Microsoft is aware of emails that are sent using their name. MS also never sends an
email for any updates/patches, all updates/patches can be acquired

from
their update

site. All of these emails carry some type of virus and if you clicked

on
the links to

see the pages, you should run a full system scan with up to date virus defs.

Not completely or exactly true. It is true that M$ never sends any
updates or patches via an attachment it is NOT always true that they don't
send and email pointing the user to an update on their page. You can
subscribe to the M$ security warning page or some such name I forget the
exact name for it; but they will then send you an email warning you of any
security problems or anything you need be made aware of; but it will only be
an email and will NOT have any attachments. It will however contain a link
to a legitimate M$ page which has the update or patch you need.
If however a person has OE/O set up to read all email at text only you
will still see the paper clip attachment even if there is no actual
attachment; because of the email containing html stationary. When you are
set up to read as text only any html is sent along as an attachment.
I guess I could be wrong and in the light of the recent bum rush of
bogus M$ emails with attachments, that maybe M$ has stopped sending out
their regular warning to corporate and other users that have subscribed to
their security and update email list; but if they have it is news to me;
because I use to be on that list; but have since had myself removed from it;
because I figure the best person to rely on for my systems security is me;
because I have a vested interest in keeping it bug/hole/virus/malware free.


--
/}
@###{ ]::::::::::ino-Soft Software::::::::::::>
\}
Live WebCam http://www.dino-soft.org/cam

Actually the ones that *did* request the info from M$ have to be the most
vigilant; because they *are* expecting email from M$; but *EVERYONE* should
know that M$ *Never*, *Never EVER*, sends out their updates and or patches
as an attachment, and those that are expecting email from M$ must make
absolutely sure that the link they click on takes them to an actual M$ site;
because of the fake URL type of malware, as in this fake url which at first
glance to the untrained eye looks to be a link to M$; but upon closer
inspection you can see it actually takes you to a warning page on my site
that warns about blindly clicking on a link:
http://www.microsoft.com&[email protected]/microsoft/security/updates/current.html



The above link is of course harmless and only try's to lock the user into
the page until they read and understand the dangers of blindly clicking on a
url without first inspecting the url for hanky panky

 

[Gary S. Terhune]

After inspecting the email in question, it is from a subscription service
contracted out to Digital Impact by MS, and legit. Though as I also explained to
Igor, I am surprised he got it without already knowing about the service, unless
it's a case of MS changing from an in-house function to one that is farmed out.
The "hidden" links really do pass through to the pages they purport to link to,
they're just redirects from Digital Impact's own server--either to track the
hits or due to the database driven creation of the email, or both. Every way I
came at it proved to be legit.

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Tim]

Though as I also explained to
Igor, I am surprised he got it without already knowing about the service, unless
it's a case of MS changing from an in-house function to one that is farmed out.

Digital impact is a spammer. They are probably getting paid per hit or
per click by MS. In all likelyhood, they've signed Igor up without his
consent either by purchasing a Millions email address CD, buying his
email address from another spammer, or as the result of someone using
a (to them) bogus email address.

Google groups for digital impact

 

[Hugh Candlin]

Sugien,
I will not argue the point that you can request MS to send you info, updates and
patches. However, if the OP did not do this and he is getting emails claiming to be
from them, then he best beware of the implications of opening them and following
anything contained within. AFAIK the OP never subscribed because he never mentioned
it.

Here is the email I got from MS this morning, seeming to say
that they are sending it to every customers email address,
whether they are signed up for the Security notification or not.
I cannot be sure, because I am signed up.

I just wish that I could have specified an OS when I signed up,
so that they wouldn't send me irrelevant bulletins,
but I guess the systems design team never thought of that.


*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web
site, that on July 16th we released a critical security bulletin
(MS03-026) and a patch regarding a vulnerability in the Windows
operating system. We wanted to make sure that if you were not aware
of this bulletin and corresponding patch that you take a moment to
go to http://www.microsoft.com/security/ security_bulletins/
ms03-026.asp to find out if you are running an affected version of
the Windows operating system and get the specific information as to
what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins
and to deploy patches in a timely manner we wanted to call special
attention to this particular instance as we have become aware of
some activity on the internet that we believe increases the
likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow
someone to spread a worm/virus that takes advantage of the
vulnerability in question thereby impacting your
computing environment.

Although it is our goal to produce the most secure and dependable
products possible, we do become aware of these types of
vulnerabilities. In order to minimize the risks of such
vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to
http://www.windowsupdate.com and also subscribe to Microsoft's
security notification service at http://register.microsoft.com/
subscription/subscribeme.asp?ID=135 if you have not already. By
subscribing to these two services you will automatically receive
information on the latest software updates and the latest security
notifications thereby improving the likelihood that your computing
environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch
might cause and appreciate you taking the time to update
your system.

Thank you,
Microsoft Corporation

 

[Igor]

MS are totally aware of this, as a quick rummage through their website
would reveal. Use spamcop to nail the source.

Well, you must be a better rummager than I. What are they "totally aware
of"? A link would be helpful.

What I found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/patch_hoax.asp
is this:

"Some of the emails claim to be a security patch for Windows or Internet
Explorer, others are more generic. There are several clues which indicate
that the e-mails aren’t a bona fide security bulletin or patch:

"The e-mail isn't signed using the Microsoft Security Response Center’s
digital signature.
"The Microsoft Security Response Center always signs its bulletins before
mailing them, and you can verify the signature using the key we publish at
http://www.microsoft.com/technet/security/bulletin/notify.asp. If you are
ever in doubt about the authenticity of a bulletin mailer you’ve received,
consult the web-hosted bulletins on the Microsoft Security web site – the
versions there are the authoritative source for information on Microsoft
Security Bulletins. "

The e-mail I received is not digitally signed. So, that suggests either
(1) someone broke MS protocol and sent out an unsigned e-mail notice, (2)
in some way the e-mail is bogus, or (3) I am still missing something.

At the moment, based on the evidence at hand, I place my money on #1.

Can anyone who knows he/she is signed up for these bulletins confirm that
they are always (otherwise) signed?

 

[Gary S. Terhune]

Here is a paragraph from Technet Flash, Volume 5, Issue 3, Feb. 4, 2003

" Learn how Microsoft uses our own technology to run our business.
Attend the Open Campus event on February 10, 2003 and see how we use and manage
our own technology to run our day-to-day business and operations. Presented live
by leaders from Microsoft's Operations and Technology Group. Learn more and
register at: http://email.microsoft.com/m/p/msf/bts/a.asp"

email.microsoft.com is hosted by Digital Impact, as are many mail lists of other
major corporations.

This was *not* a Security Bulletin. It was a notice sent to email.microsoft.com
subscribers advising them of the Bulletin. Subtle though the difference may be,
it is a difference, none the less. As I told you, Igor, I don't understand how
you would have received this *unless* you had subscribed to email.microsoft.com.
*I* certainly haven't received it, and I'm signed up for practically every
Microsoft Newsletter that's offered through Passport (don't usually read them,
but I keep them for reference.)

I see nothing nefarious in this situation. Over-zealousness, perhaps, but when
the Dept. of Homeland Security issues a warning of the *DANGER* of not patching
systems in the face of this incredible threat (hey, I'm being at least half
facetious, here, OK?), and it's plastered all over the news as a potential
threat to security apparently only slightly less threatening than Al Qaeda-made
cameras, can you blame otherwise sane people for over-reacting?

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Igor]

Here is a paragraph from Technet Flash, Volume 5, Issue 3, Feb. 4, 2003

" Learn how Microsoft uses our own technology to run our business.
Attend the Open Campus event on February 10, 2003 and see how we use and manage
our own technology to run our day-to-day business and operations. Presented live
by leaders from Microsoft's Operations and Technology Group. Learn more and
register at: http://email.microsoft.com/m/p/msf/bts/a.asp"

email.microsoft.com is hosted by Digital Impact, as are many mail lists of other
major corporations.

This was *not* a Security Bulletin. It was a notice sent to email.microsoft.com
subscribers advising them of the Bulletin. Subtle though the difference may be,
it is a difference, none the less.

[snip]

When you say "This", you mean the e-mail you quoted or the one I rec'd?
Anyway, I just think that when a digitally unsigned e-mail shows up linking
me to a non-secure webpage that asks me to DL a patch -- which, as best I
can tell, is not digitally signed -- this is all reasonably to be suspect.
And so if this is MS standard procedure it is not a good one, IMO, because
it is open to abuse by people meaning to do harm. As for any distinction
between a "Bulletin" and a "bulletin", I can appreciate that conceptually
but IMO it is terrible practice if MS is depending on its consumer
customers (and even its commercial ones) to notice such differences.

When a gas company service person shows up at my door unannounced, I'll
want to at least see a uniform and maybe an ID. Yes, both can be faked,
but that's a basic check. If MS is sending out important security e-mail
that does not originate at its domain (according to the full header it
started at Globix and then went to Digital Impact), is unsigned, and goes
to a non-secure website, it is providing even less than the gas company is
in my example. And, all this is in the context of the recent phisher site
news.

Of course, many consumers do not know what a digital signature is. I used
to use a cert to sign my e-mail but I stopped because so many people
thought that I was trying to send them an attachment that they could not
open. Yet, that is MS' burden.

Bottom line is that MS tells us to be suspicious of e-mails urging us to do
something to fix security problems. Then, at its site it says that
"Security Bulletins" -- "Whatever they are?", says the consumer -- are
always signed, yet the e-mail I received is not. What am I to think?

Again, thanks for the information.

 

[FromTheRafters]

http://www.microsoft.com&[email protected]/microsoft/security/updates/current.html

The above link is of course harmless and only try's to lock the user into
the page until they read and understand the dangers of blindly clicking on a
url without first inspecting the url for hanky panky

The part that says "dino-soft.org" could just as easily be a numerical
IP address to further obfuscate the true nature of the link couldn't it?

 

[FromTheRafters]

Thanks for all the research. The e-mail just looks so much like the other
bogus ones I get with "security patches". And, as you note, it does not
actually come from an MS domain.

Considering all the recent news about "phisher" sites, it might be better
practice for MS to not include clickable links -- in spite of the loss of
convenience because the url will have to be typed in. MS could come up
with a short URL for such notices -- e.g., microsoft.com/secnotes -- and in
the e-mail they can provide navigation guidance once someone manually surfs
there. FWIW.

They probably expected this to generate a lot of traffic and wanted
to avoid bottlenecks.

 

[Igor]

You have the right attitude about this Igor. If MS notifies you that a patch is
available, they will also quote the patch number. The *only* safe method is to
go to Windows update and DL from there or search the KB for it. Never follow
links in Emails.
See the following page for more information on Microsoft's policy regarding
software distribution.
http://www.microsoft.com/technet/security/policy/swdist.asp

Thanks. I went to the link you provided (What??!!!) and I found this:

"We always use Authenticode to digitally sign our products and allow you to
ensure that they have not been tampered with."

Whenever I do an update with an MS product I do sometimes see the license
agreement pop-up but I have never seen any digital cert or "Authenticode".
Is this invisible, as it is with Norton AV, for example, do you know? Even
though it _seems_ to be done through the browser, I do not get any
"warning" that requires me to say OK.

 

[Sugien]

The part that says "dino-soft.org" could just as easily be a numerical
IP address to further obfuscate the true nature of the link couldn't it?

I would think so, you also might even be able to use the old dotless IP bug
if the person wasn't patched. I don't however know if the server that page
is hosted on will work that way; because my son-in-law set it up and pays
for it and the only thing I do is send up my files and such and he takes
care of the payments and the day to day and the logs and such.
However I have tried before to put in the IP; but for some reason it
won't work. I don't know if it is just because using the fake URL won't
allow the use of an IP or just the ISP. I think it is just the way that
particular ISP is set up; because I have seen the fake URL used before with
just an IP number.

 

[Robert Moir]

Here is a paragraph from Technet Flash, Volume 5, Issue 3, Feb. 4,
2003

" Learn how Microsoft uses our own technology to run our
business. Attend the Open Campus event on February 10, 2003 and see
how we use and manage our own technology to run our day-to-day
business and operations. Presented live by leaders from Microsoft's
Operations and Technology Group. Learn more and register at:
http://email.microsoft.com/m/p/msf/bts/a.asp"

email.microsoft.com is hosted by Digital Impact, as are many mail
lists of other major corporations.

That would explain why I didn't get it.

http://groups.google.com/groups?as_....admin.net-abuse.email&lr=&as_scoring=d&hl=en

Actually, I think its a poorly thought out move on Microsoft's part to
a) contract out security warnings to other people, given the need for
absolute trust in these matters and the fact that microsoft have managed to
create an overdraft in many people's trust "bank accounts" in the past.

b) having decided to contract these things out, to do so to an alleged
spamhaus who have a terrible reputation.

I see nothing nefarious in this situation. Over-zealousness, perhaps,
but when the Dept. of Homeland Security issues a warning of the
*DANGER* of not patching systems in the face of this incredible
threat (hey, I'm being at least half facetious, here, OK?), and it's
plastered all over the news as a potential threat to security
apparently only slightly less threatening than Al Qaeda-made cameras,
can you blame otherwise sane people for over-reacting?

If we're talking about the security department at Microsoft, yes I can. They
are supposed to be professionals.

 

[David]

Your always best to just surf to the MS site directly. Then you don't have
to analyze every email for validity. If there is a valid patch available it
will be posted on MS's update,download and/or technet sites. Even if this
particular instance was valid there are obvious questions as to all the
intentions. Keep in mind spammers are spammers to us, but to the corporate
world that uses them they are valid outlets for advertising or datamining.
It is so easy to replicate the format of valid security alerts that even in
that case it is best to surf directly to the valid source of patches in lieu
of clicking-through.

 

[Gary S. Terhune]

"This" means the email you received.

Yes, it was an ill-advised action, though probably not on the part of MS but on
the part of their" partner". I simply quoted the previous TechNet email to show
you that DI *is* a Microsoft sub-contractor. I don't think anyone at MS had
anything to do with it, directly, though I really don't know.

I agree that is was a poorly thought out action, and complaints to MS are
warranted. I was more concerned with determining whether it saw or was not a
malicious email. So far as I can determine, it was not.

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

Here is a paragraph from Technet Flash, Volume 5, Issue 3, Feb. 4, 2003

" Learn how Microsoft uses our own technology to run our business.
Attend the Open Campus event on February 10, 2003 and see how we use and manage
our own technology to run our day-to-day business and operations. Presented live
by leaders from Microsoft's Operations and Technology Group. Learn more and
register at: http://email.microsoft.com/m/p/msf/bts/a.asp"

email.microsoft.com is hosted by Digital Impact, as are many mail lists of other
major corporations.

This was *not* a Security Bulletin. It was a notice sent to email.microsoft.com
subscribers advising them of the Bulletin. Subtle though the difference may be,
it is a difference, none the less.

[snip]

When you say "This", you mean the e-mail you quoted or the one I rec'd?
Anyway, I just think that when a digitally unsigned e-mail shows up linking
me to a non-secure webpage that asks me to DL a patch -- which, as best I
can tell, is not digitally signed -- this is all reasonably to be suspect.
And so if this is MS standard procedure it is not a good one, IMO, because
it is open to abuse by people meaning to do harm. As for any distinction
between a "Bulletin" and a "bulletin", I can appreciate that conceptually
but IMO it is terrible practice if MS is depending on its consumer
customers (and even its commercial ones) to notice such differences.

When a gas company service person shows up at my door unannounced, I'll
want to at least see a uniform and maybe an ID. Yes, both can be faked,
but that's a basic check. If MS is sending out important security e-mail
that does not originate at its domain (according to the full header it
started at Globix and then went to Digital Impact), is unsigned, and goes
to a non-secure website, it is providing even less than the gas company is
in my example. And, all this is in the context of the recent phisher site
news.

Of course, many consumers do not know what a digital signature is. I used
to use a cert to sign my e-mail but I stopped because so many people
thought that I was trying to send them an attachment that they could not
open. Yet, that is MS' burden.

Bottom line is that MS tells us to be suspicious of e-mails urging us to do
something to fix security problems. Then, at its site it says that
"Security Bulletins" -- "Whatever they are?", says the consumer -- are
always signed, yet the e-mail I received is not. What am I to think?

Again, thanks for the information.

 

[Brian A.]

Igor,

Can anyone who knows he/she is signed up for these bulletins confirm that
they are always (otherwise) signed?

Maybe Hugh or Gary can answer this.

--


Brian A.

Jack of all trades, Master of none. One can never truly be a master as there is
always more to learn.