Intelligence and military personnel from several countries – including the US, Australia, and the UK – were the targets of yet another Zeus trojan phishing operation. According to research by Websense Security Labs, this time the spammers turned clever tricksters, as they attempted to capitalize on the previous attack by sending messages from what appeared to be a trusted source within the intelligence community.
“I guess I should feel flattered”, commented Jeffrey Carr in a blog posting warning his colleagues about the ruse. Carr is the CEO of GreyLogic, a Washington-based cybersecurity consultant. Apparently the attackers employed a bit of social engineering by sending follow up emails to the same departments that received the earlier phishing attempt. This email reviewed the Zeus trojan threat from earlier in the week and assured readers that downloading a linked zip file would fix a security issue that the previous attack sought to exploit.
It was the same type of set up that presented itself to this very same group of targets earlier in the week.
According to both Websense and Carr, the Zeus bot delivered by the links is often missed by up-to-date antivirus software. "The binary file downloaded from these links is identified as a Zeus bot and holds [a] 35% AV detection rate,” noted Websense in its security blog. “Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service.”
Furthermore, the email's signature lifted details from Carr’s online bio to give the impression that the email was from a trusted source. But, as he noted in his response to the incident, Carr does not use this information for any of his corporate or intelligence-related email addresses.
“As far as I and a few colleagues can tell, this is the first instance of a phishing scheme sent out as a warning about phishing schemes, pretending to be written by an InfoSec author and blogger”, said Carr in a subsequent blog posting. “Considering the sophistication of the malware and the ingenuity of the attack, my recommendation is that you not take any emails for granted. View the full header if you’re even a bit suspicious about the content, and by all means, don’t click on a link or download a file without carefully examining it for irregularities.”