Incident Response, TDR

Solo attacker likely responsible for phishing campaign, delivering Zeus variant

Phishing emails, a phishing kit and phony browser alerts are being used to steal credentials and deliver a variant of the Zeus trojan, and researchers with PhishLabs – the security firm that identified the threat – believe the operations are being carried out by a single individual.

In a Friday email correspondence, Don Jackson, director of threat intelligence with PhishLabs, told SCMagazine.com that the tools and tactics being used are indicative that this is a one-person job – although, he added, there are no clues as to who the attacker is and where they are located.

“The scale of attacks is small, and the gains only make economic sense if the operation is “masterminded” with little reliance on other partners or outside criminal-to-criminal services that would reduce profit margins,” Jackson said.

To deliver the Zeus variant via phony browser alerts, the attacker first sends out phishing emails through compromised email accounts, a PhishLabs post indicates. The phishing email makes reference to a wire transfer and asks recipients to verify by opening an attachment in the email.

The attachment is an HTML file that, when clicked, opens up a phishing kit in their browser, Jackson said.

“A phishing kit is a collection of files designed to impersonate the look, feel, and functionality of a legitimate website in order to convince users to enter information such as user names, passwords, PINs, security question answers, and anything else that allows a phisher to access or take over the legitimate user's account on that service,” Jackson said.

In this instance, the phishing kit appears as a Google Drive page that asks recipients to login via Gmail, AOL, Yahoo!, Outlook, or other accounts, according to the post. Clicking on any of the services brings up a branded login box, and any credentials entered are sent directly to the attacker.

After, victims are redirected to a browser alert indicating that unusual activities were detected on the browser, the online document file reader was blocked due to security preferences, and the browser must be updated in order to view documents.

Clicking the ‘Download and Install' button at the bottom of the browser alert leads to the installation of a Zeus variant, which is based on the source code for version 2.0.8.9, the post indicates. Jackson said the variant is similar to most other versions of Zeus.

“In this case, however, it ignores man-in-the-middle automated account raids in favor of wholesale theft of bank account information, email account credentials, stored browser passwords, anything typed in on a keyboard, and anything entered into a form on a web pages, especially those sensitive enough to be protected using the HTTPS protocol, including practically all logins for any online service,” Jackson said.

Indicators suggest the attacker – who seems to be primarily going after credentials for accounts used in financial transactions – is monitoring awareness of their activities, and is taking efforts to stay under the radar and ensure operations can continue, Jackson said.

“The cybercriminal in this case registers multiple domains, all pointing to the same system used to host [their] scam pages and malware,” Jackson said. “As soon as one domain name shows up on watchlists or malware reports, new links are seeded with previously unknown domain names.”

The sample phishing email provided in the post suggests that English speakers are being targeted, but Jackson was not immediately available to respond to a follow-up inquiry.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.