One thing urged by all security experts is that users should patch their systems as soon as any new update becomes available. There is an urgency to this. 'Urgency' is also one of the psychological drivers used by criminals in social engineering. If something is urgent, the target is likely to respond quickly without fully considering the implications; so spam usually contains exhortations to 'act quickly', or 'do this now' for the user to avoid disappointment or penalty.
There seems an inevitability that the urgency of patching should be married to the urgency in social engineering – and this, according to Kaspersky Lab, has now happened. "Last week," wrote Kaspersky expert Andrey Kostin in a company blog posted this morning, "Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers."
While there are several variants of the emails, they all follow the same basic template: a major anti-virus firm is providing an important update necessary to protect the user from "new malware circulating over the net." It is, of course, highly important. "To complete this action please double click on the system patch KB923029 in the attachment. The installation will run in the silent mode."
Native English speakers might pause slightly over the superfluous definite article in that last sentence; but others would probably not notice. Instead, the danger is that they might be so concerned to protect their computers that they proceed with the urged haste and double click the attachment. That would be a bad idea.
"As a matter of fact," says Kostin, "there is a malicious program in the attached archive, detected by Kaspersky Lab's products as Trojan-Spy.Win32.Zbot.qsjm." In other words, the criminals are relying on users' desire to be secure to get round their security and infect their computers with perhaps the most infamous of all old malware "circulating over the net" – Zeus.
This trojan, he continues, "belongs to the renowned Zeus/Zbot family, and is designed to steal confidential user information, preferably banking and financial data. Using this malware, cybercriminals can modify the contents of banking sites by planting malicious scripts in them to steal authentication data such as login credentials and security codes. To these endsTrojan-Spy.Win32.Zbot.qsjm can also take screenshots and even capture video, intercept keyboard input, etc. In addition, this Trojan is notable in that it does not access a pre-determined C&C to receive commands and a configuration file, but rather uses a P2P protocol to receive this data from other infected computers."
We would like to remind readers, comments Kostin, "that no reputable IT security manufacturer would send security updates for its product in a zipped attachment to an email address. Moreover, we don't recommend opening any file attached to an email unless you are expecting it and know who the sender is."