Malware authors are impersonating the CDC in a new scheme to propagate a trojan horse. Fraudulent e-mails sent by a botnet claim that the recipient must register for a fake state vaccination program but really link to a malware-infested phishing website.
The Center for Disease Control (CDC) issued a statement this week to warn citizens about a recent wave of phishing e-mails that deceptively claim to be from the government organization. The e-mails refer to a state vaccination program and tell recipients that they have to create a personal H1N1 vaccination profile.
No such vaccination program exists. A link in the e-mail directs users to a fraudulent website that attempts to infect their computer with malware. Specifically, the fake H1N1 messages are being used to propagate ZBot (also known as Zeus), a trojan horse that powers one of the most active botnets. The program serves as a spam relay and also surreptitiously collects private data about the user to funnel back to the botnet operator.
E-mail security company AppRiver detected the malware campaign earlier this week when it seemingly exploded in volume. The company's researchers wrote about it in a blog entry.
"We are seeing these messages at the extremely high rate of nearly 18,000 messages per minute netting over 1 million of these messages in the first hour alone," they wrote. "It is now officially flu season and considering the recent concerns over the H1N1 vaccine, I expect this to be a highly effective campaign against those who are not protected from this cyber-threat."
Security company Sunbelt Software, which publishes monthly reports on the prevalence of malware threats, says that ZBot held the top spot for seven months but declined sharply last month. Its November report, which was published today, lists ZBot as the second most prevalent malware threat and says that it represents 6 percent of all malware infections. The new H1N1 phishing scheme could potentially give it a boost.
ZBot's authors have used similar tactics in the past. A report at the CA Security Advisor Research Blog describes how previous iterations of have used fake e-mails claiming to come from the IRS, FDIC, and Microsoft. The websites linked in the e-mails attempt to get users to download the malware. They also have embedded iframes with PDF or Flash content that attempts to take advantage of security vulnerabilities in Adobe's software. Although Adobe has patched known vulnerabilities, users who have not updated to the latest versions are at risk.
Malware propagation is largely an exercise in social engineering. These fraudulent e-mails expand the botnet pool by preying on the ignorance and fear of recipients.
By Ryan Paul
No comments:
Post a Comment