Phishers always sense an opportunity whenever the world is fascinated with something. The Royal baby last year, Luis Suarez’ famous World Cup chomp, The Malaysian Airlines tragedies, and now…the Ebola hemorrhagic virus.
The ongoing epidemic in West Africa has piqued people’s interest globally. Symantec has accordingly identified a new spam-and-scam push that uses news of the Ebola virus to power three malware operations and to social-engineer a phishing campaign.
The first malware gambit is a classic, straightforward bait-and-switch. Attackers send out an email with a fake report on the Ebola virus to entice victims—but what users actually get is an infection of their own, in the form of the Trojan.Zbot malware.
In the second campaign, cyber-criminals send out an email that impersonates Etisalat, a telecommunications service provider in the United Arab Emirates with footprints in 18 countries across the Middle East, Asia and Africa. Symantec said that the email claims to offer a high-level presentation on the Ebola virus. An attached zip file with the title "EBOLA – ETISALAT PRESENTATION.pdf.zip" actually executes Trojan.Blueso on the victim's computer.
“Interestingly, the executed Trojan is not the final payload,” Symantec said. “The malware is also crafted to inject W32.Spyrat into the victim’s web browser.”
Spyrat does what the name suggests: it logs keystrokes, records from the webcam, grabs screenshots, opens web pages, enumerates, uploads and deletes files and folders, and gathers details on installed applications, the computer and OS.
The third campaign makes use of more breaking Ebola news rather than the “evergreen” stuff.
“In the last two weeks there has been talk of Zmapp, a promising Ebola drug still in an experimental stage,” Symantec said. “The crooks entice their victims with an email claiming the Ebola virus has been cured and the news should be shared widely. The email attachment is Backdoor.Breut malware.”
And then there’s the phishing campaign, which uses the venerable 24-hour CNN news channel as bait. Here, the scammers impersonate a CNN alert with “breaking Ebola news” (and Symantec adds, with some terrorism thrown in). It gives a brief story outline and then includes links to an "untold story," “how-to" precaution information and a list targeted regions.
If the user clicks on the links in the email they are sent to a web page, asked to select an email provider, and asked to input their log-in credentials. If the user performs this action, the email log-in credentials will be sent directly to phishers.
The victim is likely none the wiser; after plugging in the credentials, he or she is redirected to the real CNN home page.
To stay safe, the firm offered consumers some time-tested advice: “Symantec advises all users to be on guard for unsolicited, unexpected or suspicious emails. If you are not sure of the email’s legitimacy then don’t respond to it, and avoid clicking on links in the message or opening attachments.”