I got an email today that claimed to be from "noreply@ McAffee.com". Now this could have been spoofed, and I will try to inspect the Internet header for evidence.
The content was HTML, and it contained the following:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<P>McAfee Labs has identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for a cyberattack that struck Google and a rapidly growing list of other companies. McAfee is working with our customers, partners, and the public to educate them on this dangerous cyberattack known as "Operation Aurora". <BR><BR>We have set up an informational web page </A>to get the latest information at <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1924&elq=59870a1c4b4d4eada6d5b489a6f44 887">www.mcafee.com/aurora</A><BR><BR>There you will find: <BR><BR>>> <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1925&elq=59870a1c4b4d4eada6d5b489a6f44 887">A detailed document</A> to help you determine if you've been affected<BR>>> <A href="http://app.en25.com/e/er.aspx?s=927&lid=1926&elq=59870a1c4b4d4eada6d5b489a6f4488 7">An executive-level video briefing</A> explaining Operation Aurora from the McAfee Office of the CTO <BR>>> Evaluations of McAfee products to help ensure that you are protected<BR>>> Links to McAfee security professionals and other resources to help you protect your organization from Operation Aurora and similar attacks in the future<BR><BR>We invite you to visit this site frequently for updates on Operation Aurora. In addition, we will be hosting the Hacking Exposed live webcast on January 21, 2010 at 11 AM PST / 2 PM EST which will feature the latest up-to-date information on the Operation Aurora cyberattack. <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1887&elq=59870a1c4b4d4eada6d5b489a6f44 887">Register Now.</A><BR><BR>Sincerely,<BR><BR>George Kurtz<BR><BR>WW Chief Technology Officer & Executive Vice President <BR>http://www.twitter.com/george_kurtzCTO<BR><BR>McAfee, Inc.</P>
<img src='http://app.en25.com/e/FooterImages/FooterImage1.aspx?elq=59870a1c4b4d4eada6d5b48 9a6f44887&siteid=927' border=0 width=1px height=1px></BODY></HTML>
<P><FONT size=1>To manage your email preferences, please go </FONT><A href="http://now.eloqua.com/sl.asp?"><FONT size=1>here</FONT></A><FONT size=1>.<BR><BR>McAfee, Inc.| 3965 Freedom Circle | Santa Clara, CA | 95054 | 888.847.8766 | </FONT><A href="http://www.mcafee.com"><FONT size=1>www.mcafee.com</FONT></A><FONT size=1> <BR><BR>McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2010 McAfee, Inc. All rights reserved.</FONT></P>
The link in the email that claims to be McAffee actually goes to eloqua.com then redirects to McAffee.
Is this a legitamate email, or is this an attempt to actually lauch an Aurora attack by claiming to spread knowledge about Aurora?
McAffee should not ever, I think include a redirect in an email link.
Anyone know what is up?
Message was edited by: April Jacobs to remove email identity information from customer provided URL on 1/20/10 9:03:34 AM CST