Increase in Zeus Phishing Emails
GSA Reference Number: AD100205-01
Simply Put: Gladiator has been alerted to an increased number of phishing scams trying to trick users into installing Zeus Trojans. These emails are sent using spoofed sender addresses, generally pretending to be from government sources such as the NSA or Pentagon. The emails also contain text that could reasonably appear to be from the supposed sender, such as a government advisory or alert.
Attack Details: These emails do share common traits that users can recognize. The emails try to get users to download the Trojan in one of two ways:
- Via a link to a free download website, such as Rapidshare or Sendspace. These services normally would not be used for official communications of this nature, and should not be clicked in an email.
- Via a zip file attachment which contains an executable file. These executable files are detected by some virus vendors, but not all. In general, do not open file attachments unless the user is trusted and you are specifically expecting an attachment from them.
The Zeus Trojan is data-stealing malware. This variant will try to copy documents from the hard drive and upload them to an FTP site. Document types include pdf, doc and xls. Furthermore, the Trojan will attempt to monitor usernames and passwords used on the system, and report those as well. More information on Zeus can be found here.
Countermeasures: Users should be immediately notified of the existence of this phishing threat and informed to delete any suspicious emails. Any currently infected machines should be removed from the network and the necessary incident response measures enacted. Gladiator has added recognition patterns to our eShield email service to deny emails matching the current phishing scheme and will continue to block sites at the firewall if they are found to be hosting this scam. Gladiator has also blocked client traffic destined for the FTP server that is currently being used as a data dump for this version of the Zeus Trojan.