Keylogger Masquerades As Microsoft Alert

Would-be identity thieves have turned loose another sneaky means for stealing users’ personal information. It comes in the form of a fraudulent e-mail pretending to be from Microsoft that suckers users into installing a key logger.

SophosLabs, the virus analysis center for antivirus vendor Sophos, put out the warning on Tuesday about the letter, with the subject line “Microsoft WinLogon Service – Vulnerability Issue” and the return address of patch@microsoft.com.

The letter claimed that a vulnerability has been found “in the Microsoft WinLogon Service” that could “allow a hacker to gain access to an unpatched computer.” The letter advises the recipient to click on a link in the letter to download the patch.

That should be your first clue something is wrong, said Patrick Martin, senior product manager of antivirus content at Symantec .

“Virus definitions will detect letters like this, but you should always be cautious of a letter from a vendor purporting to be links to patches. Vendors don’t send them out that way, especially Microsoft. They use Windows Update,” he said.

If that’s not hint enough of something bogus is afoot, the phony letter misspells Microsoft’s corporate name as “Microsoft Coorp.,” which is usually a hallmark of international hackers for whom English is not their native language.

Those foolish or naïve enough to click on the link will receive the message “Microsoft WinLogon Service successfully patched,” when all they really got is the Troj/BeastPWS-C Trojan horse, a keylogger. It will log keystrokes and send them to an e-mail address belonging to the hacker.

“People are slowly learning that Microsoft does not e-mail out security fixes as attachments, but they also need to learn to be careful of blindly clicking on links to download fixes too without checking that the e-mail is legitimate,” said Graham Cluley, senior technology consultant at Sophos, in a statement.

Both Sophos and Symantec reiterated the need to keep ones antivirus definitions up to date, and also not to click on a strange link in an e-mail.

“Novices may not recognize some of the basic safe computing practices, so we try to reeducate users on a constant basis,” said Martin.

These kinds of keylogger viruses are not that common, said Martin. “They come in dribs and drabs. We don’t see any ones like this that really make a mark. It doesn’t seem people are falling for them in large numbers,” he said.