[MedicalConspiracies] Phishing email campaign and ZeuS Trojan Information

Subject: Phishing email campaign and ZeuS Trojan Information

 

I don’t mind if you spam your Internet friends with this.  It’s real, and everyone should know about it.  ZeuS is very bad stuff.  This is exactly the kind of spam people, even smart people, will believe is real.

 

There is a new spam e-mail campaign attempting to infect victims' computers with the ZeuS banking trojan. The messages falsely report to originate from the U.S. Internal Revenue Service (IRS). The e-mails (Figure 1) display a subject of “Notice of Underreported Income” and instruct the recipient (or victim) to review their tax statement by clicking an embedded link.

Figure 1: Initial e-mail message

 

The victim is redirected to a fake IRS website (Figure 2) when they click the embedded link. The victim is instructed to download their tax statement, which is actually the ZeuS trojan:

 

Figure 2: Fake IRS site

 

From Wikipedia:

 

Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,^[1] it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.^[2]

Zeus' current botnet is estimated to include millions of compromised computers (around 3.6 million in the United States).^[3] As of October 28, 2009 Zeus has sent out over 1.5 million phishing messages on Facebook. On November 3, 2009 a British couple were arrested for allegedly using Zeus to steal personal data.^[4] From November 14–15 in 2009 Zeus spread via e-mails purporting to be from Verizon Wireless. A total of nine million of these phishing e-mails were sent.^[5]

It is still active in 2010.^[6][7] A recent outbreak is being called Kneber.^[8]