ZBot Spammed Through Capital One Phishing Site

Trend Micro security researchers state that they have detected a weird amalgamation of the ZBot malware and a phishing scam targeting Capitol One in an extremely novel spam outbreak, as reported by Trend Labs on October 22, 2009. Capital One Financial Corp is a US-based bank holding organization specializing in home and automobile loans, saving products, banking and credit cards.

Describing the scam in detail, the security researchers said that people were getting an e-mail that addressed the recipient as 'Capital One Tower NetSM' or 'Treasury Optimizer User.'

It then stated that based on the newly issued clauses in the mutual Data Access Agreement among the recipient's organization and Capital One, a Digital Certificate would be given to the recipient's organization.

The message also added that since the data of client was private in character, could be accessed online from anywhere in the world and had the potential of being captured for fraud, it was essential that the system knew the user's authorization and identity.

However, if users click on the given link, they land on a phishing site where on entering the necessary details for logging in, a web-link is provided that supposedly downloads the digital certificate.

The link actually downloads a variant of ZBot that attempts at intercepting users' keystrokes, capturing their identifying details, particularly capturing their monetary or financial information. In addition, the malware captures the desktops' screenshots.

Furthermore, the ZBot variant steals everything contained in the Windows Protected Storage along with certificates that are held on the contaminated computer. It also steals usernames and passwords in connection with access to FTP and POP3 protocols.

The researchers said that the ZBot would begin its primary function of information theft after establishing a link with certain remote server and downloading an encrypted configuration file. The mentioned file would have an address to which the ZBot would subsequently upload the captured data phished on specified websites; another address for downloading the ZBot's yet another variant; and the address for downloading an additional configuration file.

Related article: ZBot Trojan Proliferating Inside Facebook: Trend Micro

» SPAMfighter News - 11/4/2009