Gee, with all that money you pay for Windows Defender and other Microsoft security services you’d think they would handle these types of issues.
Guess not.
BY:
Salvatore Nicci
Technology Analyst / Reporter
PROJECT COUNSEL MEDIA
29 April 2022 (Berlin, Germany) – If you follow Steve King, Andy Jenkinson and Garett Moreau on Linkedin the following is going to be old hat to you. Those three gents are the ones to follow and read for “everything-cyber-security-related”. They have been equally prescient on Russian cyberwar developments.
There is an old maxim/clichéd in the “cyber biz”: Bill Gates designed Microsoft to make personal computers more user friendly. While the Microsoft operating system is among the easiest to learn, unfortunately it is also the most hackable. Black hat actors adore Microsoft systems, especially when the company releases a new update. Bleeping Computer shares a problem with the newest Windows update in its article “Microsoft: Windows Domain Controller Restarts Caused By LSASS Crashes“.
The bug occurred in the Local Security Authority Subsystem Service (LSASS). The LSASS crashed, users lost access to their Windows accounts, shown an error message, then the system rebooted. The LSASS crash bug was one of many issues that a Microsoft patch fixed in January 2022:
“Microsoft addressed the LSASS crash issue in out-of-band updates released in mid-January 17 [1, 2] to fix numerous other critical bugs introduced during the January 2022 Patch Tuesday, including Hyper-V no longer starting, L2TP VPN connections failing, and ReFS volumes becoming inaccessible.”
Bad actors discover coding errors in Microsoft systems then exploit them. The bad actors detect many vulnerabilities during updates, then they quickly devise plans to take advantage of users. Threat Post explains a new hacker trick in “Microsoft Accounts Targeted By Russian-Themed Credential Harvesting“. Russia has threatened cyber attacks with their current Ukraine War plan, so it did not take long for bad actors to create spam campaigns. The spam email reads:
“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
• Country/region: Russia/Moscow
• IP address:
• Date: Sat, 26 Feb 2022 02:31:23 +0100
• Platform: Kali Linux
• Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”
The emails then provide a button to “report the user,” and an unsubscribe option, according to Malwarebytes’ analysis of the spam. So clicking the button creates a new message with the to-the-point subject line of “Report the user.” The recipient’s email address references Microsoft account protection. So, as noted in the article:
“People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the phishers. The best thing to do is not reply, and delete the email.”
As ever, the spam offers up red flags in the form of grammatical errors, including misspellings, such as “acount.” In other words, it’s not a particularly sophisticated effort, but it’s a savvy one. As is the case with any major world event, cresting interest (or fear) is catnip for social engineers. And, according to the Malwarebytes’ analysis people are clicking – regardless.
The three gents I noted at the top of the post have all been writing, since the Russian invasion, what this article also points out: given current world events we are seeing an unusual sign-in activity from Russia which really means people need to do a double-take – but are not. And it is the perfect spam bait material for that very reason.
And, as noted above, it follows the spam pattern: users are encouraged to click on the link and submit a response. If users respond to the link, they receive an email asking for login details and payment information.
As Christopher Boyd (a computer security researcher for Malware Research) points out:
“The mail explicitly targets Microsoft account holders, but the good news is that Outlook is sending the emails directly to the spam folder. However … depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘no big deal’ is another one’s ‘oh no, my stuff!’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being”.
Gee, with all that money you pay for Windows Defender and other Microsoft security services you’d think they would handle these types of issues. Guess not.