Application security, Malware, Phishing, Threat Management, Vulnerability Management

Latest Zeus attack propagated via fake iTunes receipt

U.S. and international authorities may have just made a serious dent in the manpower behind the Zeus botnet, but dozens of arrests aren't stopping the data-stealing trojan from spreading.

The latest Zeus spam campaign targeted iTunes users and attempted to trick them into installing the insidious malware, designed to hijack online banking credentials from its victims, security firms warned this week.

The messages, which appeared to have been sent from Apple's iTunes Store with the address donotreply@itunes[dot]com, arrived with the subject "Your receipt #" followed by a random number, Fred Touchette, senior security analyst at email protection vendor AppRiver, wrote in a blog post Tuesday. The fake receipts claimed the recipient's iTunes order cost hundreds of dollars.

“People buying music from iTunes are getting used to seeing these receipts in their inboxes,” Touchette told on Tuesday. “If [attackers] can get them nervous about the amount of the receipt, they can get them to click on a link.”

Links in the bogus receipt lead to one of approximately 100 domains ending in .info, all of which were registered with GoDaddy. Once clicked, the links redirected users to another site where the Zeus trojan is waiting to infect victims.

The final site that users landed on attempted to automatically download a file claiming to be Adobe Flash Player, but it actually was the malicious payload, Touchette said.

The messages began cropping up on Friday, not long after a separate spam run spoofing the social networking site LinkedIn aimed to foist Zeus on victim PCs. The iTunes campaign is no longer active, and all the domains that attackers were using have been blacklisted, Touchette said.

In the past, attackers have used fake iTunes receipts to lure users to websites selling pharmaceuticals, as well as phishing sites that try to trick users into logging into fake web pages to dupe them into handing over account credentials, researchers at Mac security firm Intego, wrote in a blog post Tuesday.

U.S. and foreign authorities last week announced a series of arrests disrupting an international cybercrime operation linked to Zeus.

The latest attacks indicate that even in spite of last week's arrests, the cyber gangs that use Zeus have not been phased and do not plan on stopping, Touchette said.

“Zeus hasn't shown any signs of letting up,” he said. “Zeus has been so readily available on the underground forums as a kit that many people have their hands on it. It's going to be difficult to put a dent on its output.”

Last week's Zeus arrests focused primarily on so-called money mules, who allegedly laundered stolen funds for Zeus-based attacks against U.S. and U.K. bank account holders.

As a result, the arrests likely will place some money mule operations out of business in the short term but will not stop to bank fraud overall, Avivah Litan, vice president and distinguished analyst at Garner wrote, in a blog post Friday.

“The arrests will not stop (Automated Clearing House) and wire fraud,” Litan wrote. “It just slows down the ability for the fraudsters to use Zeus to commit it. There are many other attack vectors that enable the crooks to get into online bank accounts and money transfers that don't use Zeus."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.