Bears the markings of Zbot

Nov 19, 2009 15:16 GMT  ·  By

Security researchers warn of a new malware distribution campaign using incorrect billing as a lure. The spam emails pretend to be payment request notifications and a computer trojan is passed as a tool for blocking them.

"The emails pretend to come from the 'Customer Support' division of an online banking organisation and be in connection to payments requested from a variety of different organisations," Sophos' Graham Cluley warns. The scam looks to exploit people's fear of having unauthorized charges made on their accounts.

Their subject line of the rogue emails is "payment request from [company name]" and the message claims that "We recorded a payment request from [company name] to enable the charge of $66.10 on your account." The sum can differ with every email and brands like Microsoft, Starbucks, eBay, Sun Microsystems, Cartoon Network Studios or Fox Film Corporation are amongst the abused company names.

"The payment is pending for the moment. If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as [company name]. If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter)," the rest of the misleading messages read.

The attached file is called module.zip and, according to Sophos, which detects it as Mal/EncPk-LP, it contains a computer trojan. This attack employs techniques similar to the ones found in recent Zbot distribution campaigns.

Yesterday, we reported that emails claiming users' mailboxes were deactivated due to suspicious activity, as they were pushing a trojan downloader disguised as a mailbox utility. The malware was found to install the notorious Zbot trojan. Late last week, Zbot distributors targeted UK Vodafone and Verizon mobile customers through similar spam. The infected attachment was being passed as an account balance checking tool.