Zeus phishing wave targets Outlook Web Access users

Share this article:

Security experts this week identified a fresh spam campaign attempting to push the malevolent, password-stealing Zeus trojan to corporate email users.

Researchers at internet security firm Trusteer said on Wednesday that they identified a new global spam run being launched against users of Microsoft Outlook Web Access webmail service. The phony emails attempt to install the trojan by tricking users into believing they have to update their webmail settings.

The messages are especially well crafted and executed, according to Trusteer. To lend legitimacy, they appear to come from the organization at which the recipients work. In addition, they contain a link appearing to belong to the targeted corporation.

"It looked almost genuine to me," Trusteer CTO Amit Klein told SCMagazineUS.com on Thursday. "If that happens to me, who knows what happens to people who are not in the security profession?"

Recipients who click on the link are brought to an authentic-looking Outlook Web Access site, where they are asked to download the new settings, which actually turn out to be the Zeus, also known as Zbot, trojan, according to Trusteer. These landing pages are being hosted by servers in a number of countries, including in Europe and Latin America.

Once installed on a PC, Zeus sits silently until a victim visits a financial account page, such as a bank or brokerage firm, Klein said. The trojan targets corporate users, in particular, because they may try to access business accounts with high balances.

The malware is customized not just to steal login details, but also can conduct a "man-in-the-browser" attack to replace the bank's login page with a counterfeit version, thus allowing the culprits to make the page say anything they want, Klein said.

"Zeus just sits there in the browser,"  he said. "It does whatever it takes to extract credentials and personal information from you so its operator can login later and take over your bank account."

Anti-virus detection of Zeus remains low, he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.