Home Archive Abnormal Activity From Your IP Alert Email

Abnormal Activity From Your IP Alert Email

by Brett M. Christensen

Email, purporting to be from the “Abuse Team”, claims that abnormal activity has been detected from the recipient’s IP address and recommends that a patch be installed.


Subject: Virus Alert!

Dear Customer,

Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked.

Abuse Team

Detailed Analysis:
In the wake of recent 4th July and Postcard from a Family Member bogus eCard attacks, malware distributors have returned to a tactic that they used back in April 2007.

Inboxes are currently being hit by “alert” messages that claim that a scanning robot has detected abnormal activity from the recipient’s IP address and suggests that the activity is related to a recent email worm “epidemic”. The message instructs recipients to click a link to install a patch that will supposedly remove worm files. It warns that the recipient’s account may be blocked if the patch is not installed.

However, clicking on the link will lead to a malicious website that will download and install a trojan to the users’ computer. Once installed, the trojan may try to connect to the Internet and download other malware components. The link to the supposed patch is disguised using HTML so that it forms a clickable part of the message.

To a user unaware of such tactics, this bogus virus warning email may seem like a legitimate message sent by his or her Internet Service Provider (ISP). Confronted with the news that his or her computer may be infected, the user may rapidly click the link in the message without due caution.

Users should be extremely cautious of any message that instructs them to install a security update either by following a link or opening an attachment. The fake security patch ruse has been used a number of times in the past to distribute worms and other malware. ISP’s and software companies are very unlikely to distribute a security patch via email. Always install updates by using the software vendor’s official update procedure.

Last updated: 10th July 2007
First published: 10th July 2007
By Brett M. Christensen
About Hoax-Slayer

F-Secure: Fake alert emails
Fake 4th Of July eCards Point to Trojan
Postcard From a Family Member Malware Email
Customer Support Center Robot Worm Email