Gladiator Research and Security

GSA Reference Number: AD100205-01

Simply Put: Gladiator has been alerted to an increased number of phishing scams trying to trick users into installing Zeus Trojans.  These emails are sent using spoofed sender addresses, generally pretending to be from government sources such as the NSA or Pentagon.  The emails also contain text that could  reasonably appear to be from the supposed sender, such as a government advisory or alert.

GSA Reference Number: AD100201-01

Simply Put: A fraudulent email is currently circulating that appears to be from Google in response to a job application.  The email scam informs recipients that their application has been received and that it is attached in a zip file.  The zip file contains a malicious executable that is identified as a Trojan downloader.

Happy Holidays!  This is just a reminder that the Holidays are always a very active time for the “bad guys.”  Malware writers and phishers prey on our cheery attitudes and overactive messaging habits to slip in malicious emails.  There are a few popular attacks that pop up like clockwork around the holidays each year, and so you should make your users aware of these attacks.

GSA Reference Number: AD091203-01

Simply Put: A fraudulent email is currently circulating that appears to be from the Center for Disease Control (CDC).  The email scam informs recipients that they need to register with the CDC due to the launch of a ficticious “State Vaccination H1N1 Program.”  There is a link in the email that will forward users to a fake website that will actually install the ZeuS Trojan.

GSA Reference Number: AD091112-01

Simply Put: A fraudulent email is currently circulating that appears to be from NACHA, the Electronics Payment Association.  The email includes a link that will forward users to a fake website that instructs the user to download a report about a failed ACH transaction.  This report is actually malicious software (Zeus/Jabber).  We have already detected infections at several financial institutions as a result of this scam.

GSA Reference Number: AD091026-01

Simply Put: A phishing email is currently circulating that appears to be from the Federal Deposit Insurance Corporation (FDIC).  The email includes a link that will forward users to a fraudulent website that will request personal information and attempt to infect the user’s machine with viruses.  We have already detected infections at several financial institutions as a result of this email.

Security researchers have found yet another new technique phishers are using to collect user information.  The new method is called “in-session phishing” and involves creating a pop-up requesting the user to re-enter username and password information for an already open banking session.  First, the site hosting the malicious code will try to detect whether the user has an open banking session.  The malicious site then will create a pop-up that indicates that the banking session has expired and the user credentials must be entered again.  Information then typed into the malicious pop-up will be recorded by the phishers.  Researchers also have stated that the pop-up may be cleverly masked and also can come in the form of customer satisfaction surveys or advertisements.  Since the site is not technically injecting code or files onto the user’s machine, this type of attack will be harder to detect than normal trojans or viruses.