Health Spam Attack Leads to Fake Microsoft Support Site

 Analysis by: Fjordan Allego

Health spam that purports to be a public health announcement from the Environmental Services Department Disease Prevention and Control is making its rounds. This particular spammed email says that an accredited study confirmed that a type of milk is linked to cancer. Milk is a common household item and this would surely catch the interest of most readers. Clicking the specified link leads you to a fake Microsoft Support website.

The spammed email uses different techniques to pass spam filters. It includes salad words that are excerpts from various legit websites. In the spam sample below, the phrases came from a article pertaining to a flu vaccine:

Also, spammers made use of newly-registered domains. The links where victims are redirected to were registered in the last 24 hours - a move that can pass web filters that scans malicious URLs. Digging deeper, these newly-registered domains are only good for one year and were registered to a certain organization called Alert Center Notifications based in Goddard, Kansas. Further research leads to its website, which is parked. The company website was registered at around the same time the links in the spam mail were registered.

As for the fake Microsoft Support site, it does look a legitimate Microsoft site only that the URL is not. The PC Support site fronts a Virus Removal Malware Support page wherein it visitors are guided through a step-by-step instructions on how to address a “slow, unresponsive” computer that is “often caused by viruses”. It then recommends to download a free Diagnostic Scan “to clean and optimize” the victim’s computer:

To make the page look even more legitimate, there were comments listed below the article confirming the effectiveness of the instructions. However, the said comment section is already closed most likely to filter out any comments that would detest the claims of the fake comments:

The spammed email and all the associated URLs are already detected by Trend Micro products. Users are advised to be extra careful in clicking links in email to avoid threats like this.

 SPAM BLOCKING DATE / TIME: September 24, 2014 GMT-8
  • ENGINE:7.5
  • PATTERN:0974