Users are encouraged by the e-mail to download a patch which, it is claimed, will fix the problem and prevent them from becoming attacked by hackers.
However, clicking on the link contained inside the e-mail does not take computer users to Microsoft's Web site but one of many compromised Web sites hosting a Trojan horse.
"Security bulletins from Microsoft describing vulnerabilities in their software are a common occurrence, and so its not a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs," said Graham Cluley, senior technology consultant for Sophos. "The irony is that as awareness of computer security issues has risen, and the need for patching against vulnerabilities, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public."
In examples seen by experts, the e-mails have contained the recipient's full name, and the company they work for, in an attempt to lull user's into a false sense of security.
"By using people's real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap," continued Cluley. "Users need to be on their guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions. They should also ensure that they are downloading Microsoft security updates from Microsoft itself, not from any other Web site."
