Spammers taking advantage of the presidential election buzz are delivering the banking trojan Zeus to users who fall for email ploys purporting to come from CNN.
Users, primarily in the United States and Canada, have been infected by the phishing campaign, where emails that look to be CNN news articles about the election link to malicious URLs hosting the BlackHole exploit code.
Security firm Trend Micro published a blog post Thursday about the Zeus variant, dubbed “Tspy_Zbot,” which deletes the initial executed copy of itself and monitors user activities to seize login credentials used for online banking.
Jamz Yaneza, threat research manager at Trend Micro, told SCMagazine.com on Friday that it's nothing new for attackers to leverage popular news to spread malware. What's unique in this case is the new variant of Zeus.
“We keep seeing this every time there's any kind of major event that is going on – in this case being a political election,” Yaneza said. “The bad guys always seem to use a new variant that will target victims through email. They are using the BlackHole spam phishing kit to make these emails or subject lines more humanized or professional.”
Yaneza said users often have no idea they have clicked a malicious link, as redirection to a malicious URL occurs in the background.
Security firm Websense also detected the phishing campaign and published a blog post Wednesday on the findings.
"Specifically, we have detected thousands of emails with this kind of content," the blog post said of phish emails that read "CNN Breaking News" in the subject line. "We are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages."