Phishing or exploitation messages are ten a penny now a days, but there is occassionally one that pops into the Inbox that can appear to even experienced users to be genuine.  A case in point is one that we have received today at our enquiries address.

This message, which we know have been received by other users, purports to say that an important service upgrade is required and that to complete it you need to download a file.  A sanitized version of the message is enclosed below:
From: tech-admin [mailto:tech-admin@appliedconsultancy.com]
Sent: 12 October 2009 16:12
To: enquiries@appliedconsultancy.com
Subject: Important Notification!

Attention!

On October 16, 2009 server upgrade will take place. Due to this the
system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail
service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server
software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the
link provided, to save the patch file and then to run it from your
computer location. That's all.

http://updates.appliedconsultancy.com.secure.first-systems.com/ssl/id=76040839057-enquiry@appliedconsultancy.com-patch11732.aspx

Thank you in advance for your attention to this matter and sorry for
possible inconveniences.

System Administrator

Disecting the message: Why this message is a con.

There are several indicators, but the most obvious one is the link.  Although it may be first purport to com from our domain appliedconsultancy.com, it actually doesn’t.  The full domain name listed is updates.appliedconsultancy.com.secure.first-systems.com.  The section in orange, first-systems.com, is the principle domain name, and the one that the link points to.   In other words, you click on this link, you will not be going where you may think you are going.

We have never heard of first-systems.com and consequently have nothing to do with them.

The next indicator is that there are no contact details supplied by the message.  Even the most frugal web host will supply and e-mail address and the web address of their support portal at the very least.

Another indicator is that the recipient e-mail address together with an ID Code (the part of the string with id=76040839057) is included in the link.  This is done so that the recipient server not only get confirmation that the e-mail address is valid, but also an identifier of the person who clicked on the link.

Lastly, the final indicator with regards to the validity of this message is that it was sent from tech-admin[at]appliedconsultancy.com.  We do not have any such address or alias in service, either now, or in the past.

Recommendations

As with all Phishing, exploitation and con messages, the trick in avoiding them is to be aware and wary of messages from unknown sources.  Irrespective of the message content, if you don’t recognise the sender, assume that the message may be malicious in nature.  These messages are just a new variation on the con-trick.

At ACS, we do send out messages relating either to our services or ongoing customer support issues.  All of these messages will conform to the following rules:

• All support and technical messages from ACS Limited (including NamesAndSpace and SecureSiteSolutions) will be sent from the address support[at]appliedconsultancy.com and will contain a ticket reference number.
• We do not generally send out messages regarding server upgrades and maintenance work.
• All announcements regarding server upgrades and maintenance work  for our NameAndSpace servers will be made via this blog and on our support websites, http://support.appliedconsultancy.com.
• All messages will contain a full signature including our contact details and all legally required information.  You will never receive a message from us that end with just System Administrator

Our support team carries out a rolling program of maintenance and housekeeping work on all of our servers.

• All updates and upgrades to our NamesAndSpace servers are managed and carried out by our Support Team.  This process does not require the direct involvement of any of our customers.
• You will never be asked to download an application or file as part of an upgrade of our servers.

As always, if you are an ACS or NamesAndSpace customer and have received this or a similar message, please contact our support team if you have any concerns or queries.

Of late, there have been a few files uploaded to some hosting accounts that contained viruses and/or potentially malicious coding.

Our policy on such malware (Viruses, Spyware, Trojans etc) is well established – we don’t tolerate them under any circumstances.  Any uploaded file found to be, or containing, Malware is permanently deleted.

All of our N&S servers run AntiVirus software that is regularly updated, with full system scans taking place each night.  Any infected file will be deleted without any prior notification.

As some of our support customers may be aware, we had a problem earlier today with the e-mail feed for our support ticket facility.  In correcting the issue, some old updates were re-registered causing duplicate e-mail alert messages to be sent out.

If you were a recipient of these duplicate or out of date messages, we apologise for any inconvenience or confusion their arrival may have caused.  We have now implemented a number of extended measures to mitigate the possibility of this issue from reoccurring.

Our support team fully investigated this problem, and it was sourced to an old enemy: spam.  Out of all the messages we receive through the support e-mail address (support [at] appliedconsultancy [dot] com *) less than 2% are actually support related.  In this instance, a deluge of SPAM messages, mostly Russian in origin and content and with sizable attachments had filled up e-mail account.

Despite some progress in recent months, Spam continues to account for at least 80% of all e-mail traffic.  Increasingly, we are seeing spam messages containing some form of malware (Virus, Spyware, etc.) as an attachment.  Our recommendation on handling suspect e-mail messages remains the same: If you don’t recognise the sender,or have any doubts, don’t open the message and delete it.

* The support e-mail address is only accessible by registered ACS Support account holders and through their nominated e-mail addresses.  Any messages sent to this address from an unknown e-mail accounts are automatically deleted.

Microsoft has released a patch to correct the now well documented Zero Day Flaw in Internet Explorer that applies to all supported versions of Microsoft Windows.  The patch is available through Windows Update and provided your computer has been configured for Automatic Updates, you will be prompted to install it shortly.

If you are one of our corporate support customers, this patch will be automatically rolled out across your networks.  No further or direct action is required on your behalf.

The released patch only applies to versions of Windows that Microsoft still actively supports,principally:

• Windows 2000
• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008

As Microsoft no longer actively supports Windows 95, Windows 98 or Windows ME, we would anticipate no correctiive patch will be issued for these operating systems.

This patch corrects a flaw that has been detected in Internet Explorer and its’ derivatives.  It does not apply to other Web Browsers like Mozilla Firefox, Opera and Google Chrome.

After many years of advertising the supposed immunity of Mac OS from Viruses and other Malware, Apple as has quietly reversed its’ position and recommended that Apple users install some form of AntiVirus software.  The brief article on Apple’s Support website recommends that Apple users should install some form of AntiVirus software to provide an additional layer of protection.

Although this article is not a reversal of Apple’s position on the susceptibility of Mac OS to viruses, it is a tacit recognition that Apple users are not immune to a variety of potential Web Application security threats.

Our experience has been that Mac OS users have been reluctant to install any form of AntiVirus protection, often stating the mantra that Mac’s don’t get viruses.  From our perspective, anyone who uses e-mail has a Duty of Care not further spread or diseminate malware.  We have seen a Mac user receive an e-mail that included a Windows Virus – which wouldn’t affect his machine – and then forward it onto a PC that thankfully did have AntiVirus protection installed that detected and eliminated the virus.

Irrespective of individual views on the entire Apple vs PC debate, it has always been the recommendation of ACS that every computer should have some form of AntiVirus protection installed that is updated regularly.

There are AntiVirus products for Mac OS available in the marketplace, and they do work.  Apple’s article suggest three (from Intego, Symantec and McAfee), but we have always had a positive experience using Sophos AntiVirus.