Zbot Pushers Target UK Vodafone and Verizon Customers

Security researchers warn that a spam campaign distributing a new Zbot version is currently in circulation. The bogus emails try to trick users into opening and installing the malicious attachments, which are passed as a tool for checking the account balance.

The emails have their header spoofed to appear as originating from no-reply@vodafone.co.uk or noreply@verizonwireless.com and their subject is, "Your credit balance is over the limit." The email body is also identical, except for the references to the mobile service operator. "Your credit balance is over its limit. Please use the attached [Operator Name] Balance Checker Tool to review and analyze your payments," it reads.

The attached file is called balancechecker.zip and contains a new version of the Zbot banking trojan. Zbot, also known as Zeus, is a prominent family of information-stealing computer trojans that has been highly successful in stealing money from the bank accounts of both companies and private individuals lately.

"There is a danger that unsuspecting mobile phone owners might fall for the trap, perhaps convinced by the use of Vodafone's logo which is embedded in the email, and launch the file attachment, thus infecting their computers," Graham Cluley, senior technology consultant at Sophos, notes. The version of this trojan is detected by Sophos' products as Mal/Zbot-P.

Security vendors have warned that the email has been increasingly used as a malware-distribution channel in recent months, despite being a very old practice. The Zbot authors have been particularly active on this front and adopted a flurry of themes for their spam campaigns.

Some of the recent Zbot distribution efforts that we reported involved passing it as a Facebook account update tool, an Outlook and TheBat! configuration utility or DHL and UPS invoices. "As always, it's a good idea to treat unsolicited attachments sent to you out of the blue with suspicion. Defending your computers and email gateway with an up-to-date security product is a must if you want to stop hackers hijacking your computer, stealing your identity or tricking you into money-losing scams," Mr. Cluley advises.