Knowledgebase: Scams and Spams
Fake patches!
Posted by Roy Petersen on Oct-12-2009 08:27 PM
Is that a real notice, or is it dangerous?
We've seen an increase in attempts to infect user's computers lately, but mainly they are easy to spot. Bad spelling, poor phrasing and basically appearing to have been hastily put together by someone who might not be a native English speaker. There was one today that we've learned of that is fairly well done (comparatively) , so we thought we'd share.
Here it is:
-=-=-=-
Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.YOURDOMAINNAME.com.secure.ssl-datacontrol.com/mail/id=751181143158-YOUREMAIL@YOURDOMAINNAME.com-patch2457.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator
-=-=-=-
  1. Apart from the poor grammar usage, this isn't directed to anyone in particular, nor is it signed by a real "person" just some vague title meant to instill confidence. Notices from us come from us, and are signed by me, typically.
  2. The address given for this patch starts with "http://updates.YOURDOMAINNAME.com", meaning it (updates) would have to already be a subdomain on your account, which you would already know about, hopefully. The entire string of names (underlined, in rust brown) at the start of that address are folders/directories on the server, set up as "subdomains" of the account in red above.
  3. If you look at the part of the address I highlighted in red, that is the real address this will go to, "SSL-DATACONTROL.com", a Russian domain, registered on October 6th, just for this purpose. (I don't suggest you visit!)
How to tell what address it really is?
Look for the first "/" starting from the left after the initial "http://" part. To the left of that first slash will be the TLD (Top Level Domain), or the ".com" portion. Everything from that ".com" and left, up to the first instance of a "." is the domain name.

What would happen if I click the link?
Hard to say without actually doing so and determining what they're trying to do, but odds are pretty good it's something nasty. A trojan, virus or something equally unpleasant. I wouldn't recommend you do so.