The Zeus infection campaign becomes even more widespread

Oct 17, 2012 09:26 GMT  ·  By

Security experts are seeing more and more fake emails designed to lead users to malicious Adobe Flash Player update websites. The latest ones spotted leverage the names and reputations of PayPal and WebEx.

Researchers from GFI Labs have found phony notifications that claimed to be from Skype, ADP and Facebook. Trend Micro, on the other hand, has identified messages allegedly originating from PayPal’s Bill Me Later service and WebEx to be involved in the same campaign.

“We had an issue this morning with our WebEx and therefore, please accept the new invitation. This invitation has the Conference ID #36189133. Sorry for any confusion,” read the emails entitled “Important – Please read regarding this afternoon’s Webex.”

The alerts that appear to be sent by Bill Me Later bear the subject “Thank you for scheduling a payment to Bill Me Later” and they inform recipients of a payment that’s been made of over $1,000 (800 EUR).

When users click on the links contained in these emails, they’re taken to a website that almost perfectly replicates the Adobe Flash Player download website. Experts highlight the fact that the attackers have gone to great lengths to make sure that the drop menu on the fake webpage imitates the one of the genuine site.

The so-called Flash Player update is actually a malicious element identified by Trend Micro as TSPY_FAREIT.SMC. When it’s executed, it drops a version of the ZeuS banking Trojan onto the infected computer.

“These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price,” Trend Micro Threat Analyst Jocelyn Racoma explained.

Researchers underscore the fact that it’s probably not a coincidence that the name of WebEx – a popular technology for business conferences – is leveraged by cybercriminals. It’s believed that these particular attacks are aimed at businesses and their employees.