Security experts this week identified a fresh spam campaign attempting to push the malevolent, password-stealing Zeus trojan to corporate email users.
Researchers at internet security firm Trusteer said on Wednesday that they identified a new global spam run being launched against users of Microsoft Outlook Web Access webmail service. The phony emails attempt to install the trojan by tricking users into believing they have to update their webmail settings.
The messages are especially well crafted and executed, according to Trusteer. To lend legitimacy, they appear to come from the organization at which the recipients work. In addition, they contain a link appearing to belong to the targeted corporation.
“It looked almost genuine to me,” Trusteer CTO Amit Klein told SCMagazineUS.com on Thursday. “If that happens to me, who knows what happens to people who are not in the security profession?”
Recipients who click on the link are brought to an authentic-looking Outlook Web Access site, where they are asked to download the new settings, which actually turn out to be the Zeus, also known as Zbot, trojan, according to Trusteer. These landing pages are being hosted by servers in a number of countries, including in Europe and Latin America.
Once installed on a PC, Zeus sits silently until a victim visits a financial account page, such as a bank or brokerage firm, Klein said. The trojan targets corporate users, in particular, because they may try to access business accounts with high balances.
The malware is customized not just to steal login details, but also can conduct a “man-in-the-browser” attack to replace the bank’s login page with a counterfeit version, thus allowing the culprits to make the page say anything they want, Klein said.
“Zeus just sits there in the browser,” he said. “It does whatever it takes to extract credentials and personal information from you so its operator can login later and take over your bank account.”
Anti-virus detection of Zeus remains low, he said.