Spam Campaign Piggybacks on RSA Breach: AppRiver

According to researchers from AppRiver the security company, they have spotted one fresh spam campaign which's trying to take advantage of the RSA Security's data hack into more than 40m SecureID Tokens that occurred during March 2011.

The fraudulent electronic mails pretend to be notices from RSA telling clients (e-mail recipients) that a dangerous security flaw has been found within one particular kind of the company's tokens. Thus they should click on a given web-link for verifying the safety of their own tokens, the e-mails continue.

Furthermore they state that in case any client's token is described unsafe then he is urged to take down and deploy a security update provided within another web-link.

But, like always, connecting to an .exe file named blocked_list(dot)EXE, in the present case, the web-link contains a malicious program, which is detected as a information stealing ZBot Trojan variant.

If run, this program replicates onto the system folders as also erases the earlier blocked_list(dot)EXE file after which it starts inserting itself inside processes such as explorer.exe and winlogon.exe so as to stay concealed.

The program also takes precautions against being eliminated following which it generates Domain Name System (DNS) requests for fake arbitrary DNSs using the TLDs namely .org, .biz, .net and .info. With 15-16 characters, these DNSs appear as being applied four times prior to the algorithm selecting one fresh domain name and proceeding thenceforth.

Fascinatingly, AppRiver's researchers describe the spam outbreak as cunningly crafted that looks extremely genuine. For instance, the e-mails contain the Central Security Service and the National Security Agency seals although the plentiful errors in their spellings should indicate the fraudulent nature of the messages.

Remarking about the above mentioned malicious campaign, Security Researcher Troy Gill at AppRiver stated that although he didn't anticipate the majority of people to become victimized with it, there was, however, a large number that would, a few of which would silently link it with the RSA hack. That link might make the e-mails appear legitimate and suggest that they should therefore be clicked and viewed, Gill added. Softpedia.com published this on July 28, 2011.

Related article: Spam Scam Bags a Scottish Connection

» SPAMfighter News - 8/9/2011