Oct 2, 2010 11:00 GMT  ·  By

Security researchers warn that a new spam campaign is pumping out emails that mimic iTunes Store receipts and direct users to a website pushing the ZBot trojan.

The rogue messages come with a subject of "Your receipt #[random digits]" and have their header spoofed to appear as originating from a [email protected] address.

The spammers are abusing the real receipt template used by Apple's iTunes Store and list an allegedly ordered item called "Whatever You Like [Digital 45]".

The price varies from message to message, but it's always in the the order of several hundreds of dollars; usually over 500.

This significant sum is meant to scare recipients into thinking that they were billed for a very expensive item that was never ordered.

Users who fall for the trick are likely to click on the "Report a Problem" link displayed under the item's name.

This would take them to a website falsely claiming that a Flash Player update is required and offering them an executable file called flash_player_07.78.exe

This file installs a variant of the notorious Zbot trojan, which is commonly used by fraudsters to steal online banking credentials, financial details and other sensitive information.

A scan of the file on VirusTotal reveals a surprisingly high detection rate of 81% for 43 different antivirus engines.

It's very unusual for this to happen with a new campaign like this one, because ZBot gangs normally make sure their malicious samples are not detected by the leading antivirus products before putting them out.

However, in this case the detection is very good because this is the same file distributed by very a similar and aggressive campaign that targeted LinkedIn users this week.

Fortunately, while the attack is very well constructed in terms of social engineering, it will probably fail to produce as many victims its initiators have hoped.