14 DAY TRIAL // Security researchers warn of a new spam campaign directing users to compromised website distributing the Zbot trojan. The spammers are attempting to pass the rogue messages as official account registration notifications coming from ImageShack.
It seems that attackers copied the real ImageShack account registration confirmation email template and have replaced all legit links inside with ones leading to malicious pages. Users who receive this spam will be able to notice that the same URL, unrelated to the imageshack.us domain, is listed as registration confirmation link, password change link, password recovery link, homepage link as well as common questions link.
Visiting this URL takes users to a page employing a common Flash Player update social engineering trick. What is interesting about this scam is that the Flash Player update warning is actually displayed as a GIF image loaded from the legit thecoca-colacompany.com website. It's only the link attached to it that has been changed to prompt the download of an malicious executable called adobe_flash_install.exe.
“Installing the file would land the unsuspecting victim with a Zbot infection. […] We detect this file as Trojan.Win32.Generic!BT. While coverage is good for that particular file across most AV products, there’s a good chance we’ll see updated 'Imageshack' mails going out with fresh links, files and exploits so please: if you don’t remember signing up to something, don’t let curiosity get the better of you and simply delete the email,” Christopher Boyd, a security researcher at Sunbelt, advises.
Searching on Google for the subject of these rogue emails, reveals several variations of the spam with links pointing to malicious pages hosted on different websites, notably in the co.au and co.za domain space. It seems that many of these websites are legit, but have been compromised.
The practice of abusing the standard email templates of various services is not new, but it has intensified lately. Earlier this month we reported similar campaigns masquerading as notifications from Opera and ShopNBC.
You can follow the editor on Twitter @lconstantin