Microsoft Update, is it a genuine website?

Discussion in 'Port Explorer' started by div, Jun 14, 2004.

Thread Status:
Not open for further replies.
  1. div

    div Guest

    I am noticing (for the first time) an unrecognizable remote address -- law14-f28.law14.hotmail.com. When I typed this into the browser URL box it brings up Microsoft's Windows update page. Now I know that when I browse to the MS update (via tools>Windows Update menu) the correct address is http://support.microsoft.com/default.aspx?pr=cntactms&style=home. So my question is whether the former is a genuine address and why there might be such a discrepancy between the two.

    Thx.
     
  2. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Hmm. I just tried the link you provided and was taken to hxxp://law14-f28.law14.hotmail.com/default.asp (url obfuscated, just in case), which does look like a genuine Windows Update page but produces an error while trying to load the latest version of Windows Update's controls. o_O

    As far as I know, though, this is one of a number of legit addresses belonging to M$'s domains - unless I am wrong, so anyone better informed on the matter, please correct me. :)

    BS
     
    Last edited: Jun 14, 2004
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Helo thre, if you look in Port Explorer you should be able to see the real link you are connected to, maybe need a refresh to see the browser again in the Port Explorer table. so you can rightclick the address and whois/resolve on it.
    I don't know neither of the addresses mentioned, for us it is something starting wiht v4....... see it in HijackThis logs so often and in my browser when going there via the menu path you described.
    Might be a good suggestion to get the latest hijackthis.exe and post your log
    (see step 2 in this thread [thread]15913[/thread]
     
  4. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Ummm... sorry to step in again, but I just ran another search on that and remembered where I'd seen this URL before. It's a link you get, for example, in your web site referrer stats, when someone visits your site via a link in an e-mail they've received in their Hotmail account.

    Now when you click this referrer link (i.e. law14-f28.law14.hotmail.com), you should normally be directed to someone's Hotmail account. But since this account is password protected and you're not allowed to see the page, you are getting redirected to the Windows Update page instead.

    Well, sounds like a rather reasonable explanation, at least to a certain extent... On the other hand, the fact is that the link itself doesn't resolve to anything if you try one of the free online Whois services, but again, maybe I didn't do it right. :p

    BS
     
    Last edited: Jun 14, 2004
  5. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Black Swan

    Be VERY suspicious of MAIL that redirect you to Windows Updates.

    Windows goes to great pains to explain they NEVER send ANY mail with
    reference to any updates.

    So if any mail redirect you there, PLEASE BE VERY SUSPICIOUS.

    By there I mean you are not a Windows Updates but a Ghost site.

    Take Care,
    TheQuest :cool:
     
  6. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    112
    Location:
    Brighton, Colorado
    Try a program called 'spoofstick' works with IE and Firefox. Shows what site your actually on.
     
  7. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Hi TheQuest :)

    Thanks for the clarification. :) Of course it goes without saying that NO "update notification" e-mail supposedly coming directly from M$ should be trusted as genuine.

    Well, I guess I didn't explain very well what I was talking about. What I meant was those links you get when, for instance, you review your web site's stats, and in the referring URLs list you may once in a while get an address coming from someone's Hotmail. This usually means that someone has seen your page, liked it (hopefully) and sent its URL to someone else in this someone else's Hotmail account. Now this new someone has clicked the link to your own page that was contained in the email s/he got, and his/her own Hotmail account's address was recorded in the referring URLs area of your web site stats (I hope I didn't make it even more confusing now - I got dizzy just by trying to sort it out myself LOL). This is where I'm pretty sure I've seen this link before. :)

    Now when I try the http://support.microsoft.com/default.aspx?pr=cntactms&style=home link div provides, it directs me to M$'s Support Center page, NOT the Windows Update one... o_O

    Anyway, thanks again for stressing the need to NOT open any unsollicited "update" messages. This can't be repeated often enough. :)

    Best,
    BS
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Found these instructions on the web. http://www.millersmiles.co.uk/identitytheft/spoof-link-checker.php which is really very informative and handy for the kind of problems.

    I copied ths part in a note on my desktop so always there.
    It works on all windows systems; spoofstick unfortunately only on 2000/XP.

    Follow these instructions to use this utility ...

    Once you are at a web page that you wish to check, leave that page open and do the 'following to see the true location of that page.

    1. Highlight, or select, all of this code, then copy it (right click and select copy) ...

    javascript:alert("The true URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nIf this does not match the URL shown in your browser address bar, you are likely to be seeing a web page from a different web site! We recommend that you close you browser and empty your browser cache now.");

    2. Now go to the browser that has the page that you wish to check, and replace the 'whole URL in the address bar with the copied code,

    3. Press enter, and a pop up message box will advise you of the true URL If there is a 'difference between the two, you are most likely at a spoofed web address with a forged 'web page. Close that web browser and empty your browser cache.

    This method of spoofing is a growing problem and in the absence of a complete fix 'from Microsoft, millions of internet users are open to Phishing Scams - a form of 'Identity Theft which involves forged email and or web page(s) which aim to steal your 'financial and/or personal data to commit fraud.


    Found a nicer code:
    javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;833786

    I'm still looking for code including DNS /IP , if somebody knows how to do that?


    =========
    Steps to verify the page address with IE History:
    Navigate to the web page you want to verify with Internet Explorer.
    From the View menu, select Explorer Bar and then History
    Click the View button from the left frame and select By Order Visited Today.
    Move your mouse over the web link and you should get the real address in a yellow pop up box.
     
    Last edited: Jun 15, 2004
  9. kbmathes

    kbmathes Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    2
    I clicked on the URL Bug Checker link at www.millersmiles.co.uk and mcafee virusscan identified it as a Trojan and proceeded to delete it. After that, many links were also identified as Trojans and I had to do a complete scan to clean Exploit-URLspoof.gen off my computer. Hope the MS solution works better.
     
  10. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Well, I just tried this URL Bug Checker (very useful tool, BTW - thanks for giving the link) and the suspicious URL came out clean (I don't run McAfee - there's a clear warning on the millersmiles page that McAfee identifies the URL Bug Checker as a trojan).

    The M$ JavaScript tool found a difference between law14-f28.law14.hotmail.com and law14-f28.law14.hotmail.com/default.asp (as more or less expected).

    So... what are we to make of this? o_O

    Best,
    BS :)
     
    Last edited: Jun 22, 2004
Thread Status:
Not open for further replies.