Potential victims lured with payment notification

Nov 4, 2014 23:59 GMT  ·  By

ZeuS Trojan has been discovered to be distributed through a malicious attachment of an email delivered from the address of an educational organization in the United States.

The message claims to be a notification for some payment confirmation (subject is “Payment has been made”), with the malicious document available in the attachment.

A trustworthy source with fast Internet is the perfect target for crooks

After checking the file, researchers from PhishMe determined without a doubt that it downloaded ZeuS Trojan, also known under the name of Zbot; the undeniable evidence was the fact that the payload was retrieved from an IP address listed in ZeuS tracker.

The malware includes functionality for stealing confidential information from the compromised system, including banking password and username pair.

Spam campaigns are carefully monitored and automated systems manage to spot the fraudulent messages and prevent them from reaching the inbox of the user by blocking the IP address they originate from.

EDU domains are generally reserved for academic institutions and their email addresses are not included on blacklists because of the elevated trust level.

This is only one reason cybercriminals would want to compromise an EDU domain. Another would be the fact that universities need to accommodate the Internet needs of a high number of individuals, and for this they need very big bandwidth.

According to Ronnie Tokazowski from PhishMe, “the university used in this wave of attacks currently has between 25,000-30,000 enrolled students.”

A trustworthy source with a very fast Internet connection is a dream come true for cybercriminals, as they can move massive amounts of email with a very high chance of reaching the recipient’s inbox.

“In this case, the attackers may not have directly attacked the university, but could have compromised a system which just so happened to reside at the university,” says Tokazowski in a blog post.

Spot the malicious intent

Scammers’ social engineering skills are getting better, and even if no hint of deceit can be spotted in the body of the message, most of the times the best clue is in the attached file.

Unless we’re talking about a very large text file, an archive purporting to be a document is always suspicious, more so if only one item is compressed. Text does compress very well, but an invoice or a bill does not require this type of treatment.

Another malware piece distributed in a recent malicious email campaign is Poweliks, a threat that leaves no trace on the hard disk, making it difficult to detect.