Monster Spam Campaigns Lead to Cyberheists

MrBrian · Oct 4, 2011

From http://krebsonsecurity.com/2011/10/monster-spam-campaigns-lead-to-cyberheists/:

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software.
Click to expand...

Rmus · Oct 4, 2011

Kreb writes,

It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan (the fraudulent NACHA messages in the screen shot above contained a malware dropper that installs ZeuS).
Click to expand...

Here is how the attack works:

Security Experts Caution NACHA Members on Zeus Trojan Attack
http://www.pressabout.com/security-experts-caution-nacha-393336/

The spoofed e-mails appear to come from NACHA and contain a Transaction ID. The e-mails seek users to download a file containing Transaction report for ascertaining the reason for rejection. When unsuspecting users download the file, they inadvertently insert Zeus botnet node on their computer systems.
Click to expand...

Kreb continues:

But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.
Click to expand...

Well, yes and no.

If the social engineering trick is successful -- that is, if the user clicks to download the Transaction ID file -- if protection is in place to block the installation of a trojan executable -- which is a remote code execution exploit, that is, it runs in the background with the user unaware -- such protection will nullify that part of the exploit.

I don't have a fake NACHA email with the exploit to test, but it took just a couple of minutes to find a current URL serving up the Zeus trojan, using a JAVA exploit, to see how easily a trojan executable can be prevented from installing, with one of many solutions available these days:

Unfortunately, Krebs, like most bloggers on security, confines protection to antivirus detection

Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.
Click to expand...

regards,

-rich

CloneRanger · Oct 4, 2011

Yeah, where would those bloggers be without their sponsered AV "Tests"

HAN · Oct 4, 2011

Thanks for posting about this!

For a very small business, we have had a bunch of these fake ACH emails. As soon as I saw the quantity we were receiving, it waved a big red flag that they were fake. They might have had better social engineering luck if they would have only sent a couple...

Log in or Sign up

Monster Spam Campaigns Lead to Cyberheists

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

HAN Registered Member

Log in or Sign up

Monster Spam Campaigns Lead to Cyberheists

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

HAN Registered Member

Useful Searches