I received reports this week of emails that reference transactions of which the recipients have no knowledge. The email includes a link for more detail, which then attempts to download a ZIP attachment. Nothing new here; most savvy users would know better than to open an attachment in an unsolicited email.
The interesting thing about this email, however, is that it includes a password previously used by the recipient. Seeing private data in an email like this would definitely raise suspicions that the sender has some kind of connection to the recipient, or worse, has comprised their account details. The ultimate goal for the sender is that the user’s curiosity would be piqued sufficiently to open the attachment which would, of course, deliver the inevitable malware payload.
Symantec detects the file as Trojan.Zbot, also called Zeus, which is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information.
So how did these scammers get the passwords? It seems fairly certain that a Web site database has been comprised. A number of sources on the Internet believe it was a major international social gaming Web site which is now most popular in Asia.
The text of the email is as follows:
Dear customer, [password redacted].
Your order has been accepted.
Your order reference is 61035.
Terms of delivery and the date can be found with the auto-generated msword file located
at:
http://[domain redacted].com/Orders/Orders.zip?id:00835996Generation_mail=[email
address redacted]
Best regards, ticket service. Tel./Fax.: (224) 760 90 618 |
A number of different sites have been hacked over the past month with similar patterns in the malware link, although it is only this week that the social engineering element has been reported. The variants we saw were sent from disposable, free webmail accounts.
If you believe you may have been compromised, run an antivirus scan and change any important passwords. Check your bank accounts for any suspicious transactions, if in doubt.
It is always a good idea to use different passwords for each site where you register details – for some handy tips on how to manage this, take a look at some password creation methods from our colleagues in Security Response.
In addition to using unique passwords for each site, other best practices are listed here to avoid risk from this situation are:
- Never open or download a file from an unsolicited email
- Keep your operating system updated
- Use a reputable antivirus program
- Enable two-factor authentication whenever available
- Confirm the authenticity of a Web site prior to entering login credentials