Phishing Alert: New message doing the rounds

Phishing or exploitation messages are ten a penny now a days, but there is occassionally one that pops into the Inbox that can appear to even experienced users to be genuine.  A case in point is one that we have received today at our enquiries address.

This message, which we know have been received by other users, purports to say that an important service upgrade is required and that to complete it you need to download a file.  A sanitized version of the message is enclosed below:
From: tech-admin [mailto:tech-admin@appliedconsultancy.com]
Sent: 12 October 2009 16:12
To: enquiries@appliedconsultancy.com
Subject: Important Notification!

Attention!

On October 16, 2009 server upgrade will take place. Due to this the
system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail
service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server
software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the
link provided, to save the patch file and then to run it from your
computer location. That's all.

http://updates.appliedconsultancy.com.secure.first-systems.com/ssl/id=76040839057-enquiry@appliedconsultancy.com-patch11732.aspx

Thank you in advance for your attention to this matter and sorry for
possible inconveniences.

System Administrator

Disecting the message: Why this message is a con.

There are several indicators, but the most obvious one is the link.  Although it may be first purport to com from our domain appliedconsultancy.com, it actually doesn’t.  The full domain name listed is updates.appliedconsultancy.com.secure.first-systems.com.  The section in orange, first-systems.com, is the principle domain name, and the one that the link points to.   In other words, you click on this link, you will not be going where you may think you are going.

We have never heard of first-systems.com and consequently have nothing to do with them.

The next indicator is that there are no contact details supplied by the message.  Even the most frugal web host will supply and e-mail address and the web address of their support portal at the very least.

Another indicator is that the recipient e-mail address together with an ID Code (the part of the string with id=76040839057) is included in the link.  This is done so that the recipient server not only get confirmation that the e-mail address is valid, but also an identifier of the person who clicked on the link.

Lastly, the final indicator with regards to the validity of this message is that it was sent from tech-admin[at]appliedconsultancy.com.  We do not have any such address or alias in service, either now, or in the past.

Recommendations

As with all Phishing, exploitation and con messages, the trick in avoiding them is to be aware and wary of messages from unknown sources.  Irrespective of the message content, if you don’t recognise the sender, assume that the message may be malicious in nature.  These messages are just a new variation on the con-trick.

At ACS, we do send out messages relating either to our services or ongoing customer support issues.  All of these messages will conform to the following rules:

• All support and technical messages from ACS Limited (including NamesAndSpace and SecureSiteSolutions) will be sent from the address support[at]appliedconsultancy.com and will contain a ticket reference number.
• We do not generally send out messages regarding server upgrades and maintenance work.
• All announcements regarding server upgrades and maintenance work  for our NameAndSpace servers will be made via this blog and on our support websites, http://support.appliedconsultancy.com.
• All messages will contain a full signature including our contact details and all legally required information.  You will never receive a message from us that end with just System Administrator

Our support team carries out a rolling program of maintenance and housekeeping work on all of our servers.

• All updates and upgrades to our NamesAndSpace servers are managed and carried out by our Support Team.  This process does not require the direct involvement of any of our customers.
• You will never be asked to download an application or file as part of an upgrade of our servers.

As always, if you are an ACS or NamesAndSpace customer and have received this or a similar message, please contact our support team if you have any concerns or queries.