14 DAY TRIAL // Zeus distributors have responded to journalists exposing a recent Zeus spear phishing campaign by hijacking their news articles and using them to target more people. The fresh Zeus spam features alerts about recent attempts to infect government and military systems with the trojan.
Last week, former Washington Post journalist and security reporter Brian Krebs broke the news that .mil and .gov e-mail addresses were targeted in a spear phishing campaign to infect government computers with the Zeus trojan. The malicious messages impersonated the National Intelligence Council (NIC) and passed the malware as a copy of the legitimate 2020 Project report.
Zeus, or Zbot, is a computer trojan commonly used to steal online banking credentials and perform ACH (Automated Clearing House) transfer fraud. However, the malware can also copy other sensitive information and files from the infected computers. It is worth noting that Zeus is not controlled by a single cyber-criminal gang, but is instead being sold as a crimeware toolkit on Internet underground forums.
One of the latest Zeus attacks, reported by antivirus vendor Sophos, uses content copied from Mr. Kreb's article to trick users into downloading a fake Windows security update. "One of the latest spam samples we’ve seen, duplicates the title and first three paragraphs of a blog entry by well-known security expert Brian Krebs, which discusses a previous iteration of this Zeus attack. As seen below, the spam sample starts off with the same three lines of the blog post, before starting into the phony KB content and links that lead to Zeus malware," Mike Wood, Sophos threat researcher, explains.
Meanwhile, Web security vendor Websense warns of a similar campaign misappropriating content from a blog post on the same subject by Jeffrey Carr, author of "Inside Cyber Warfare." "The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate," the Websense researchers write.
"It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration," Brian Krebs commented in regards to this recent attack. "I guess I should feel flattered. One of my 'fans' is spoofing my greylogic.us email address. If you receive an email from me with the subject line 'Russian spear phishing attack against .mil and .gov employees', check the full headers because it didn’t come from me," Jeffrey Carr wrote in an update on his blog.
