In this most recent spam campaign, our spam traps caught an uncanny combination of a CapitalOne phish and a ZBOT variant. Below is a screenshot of an email sample making the rounds:

The spam campaign would have you believe that you would need to install a Digital Certificate in order to use CapitalOne’s website. Clicking on the email link brings you to the following site: This is the phishing part. After filling in the required login information, the website now conveniently gives you a download link to the supposedly digital certificate: The download link will lead you not to a digital certificate, but to a ZBOT variant. Running the so-called ‘digital certificate’ will only install the notorious ZBOT malware into your system, and will proceed to log your keystrokes, steal personally-identifiable information, and most especially, steal your personal financial information. Trend Micro now detects the said ZBOT malware as TROJ_ZBOT.CKA. The above website does not only host a CapitalOne phish, but also a Bank of America phish. Earlier this week, the same group also had a spam campaign, but was pushing a BoA phish: The phishing website in that campaign asks a lot of questions–three pages full of these. It basically asks all of your personal information pertinent to your banking account:

The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

• 11qioz.co.uk
• 11qwod.co.uk
• easder1q.co.uk
• f1iiitl.com
• iiizad1z.co.uk
• ij1tli.com
• ltiil1.com
• nekz1mqv.co.uk
• nezz1cza.co.uk
• racder1c.net
• racder1x.com
• raeder1f.net
• rarder1g.com
• raxsder1.com
• t1fliil.tc
• tj1fiil.co.nz
• uunuyr.com
• yyy1yyrd.co.uk
• yyy1yyre.co.uk
• yyy1yyrf.co.uk
• yyy1yyrg.co.uk
• yyy1yyrj.co.uk
• yyy1yyrk.co.uk
• yyy1yyrl.co.uk
• yyy1yyrm.co.uk
• yyy1yyro.co.uk
• yyy1yyrq.co.uk
• yyy1yyrr.co.uk
• yyy1yyru.co.uk
• yyy1yyrv.co.uk
• yyy1yyrx.co.uk

The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

Holidays are spammers’ favorite times of the year. After all, these give them additional opportunities to lure more victims to their specially crafted scams apart from a theme to focus on. As one of the most celebrated holidays across the globe, it is not surprising that Halloween, which is barely a week away, has been creating a buzz.

Trend Micro threat analysts got wind of Halloween-related spam samples (see the sample on the right). These offered readers promising opportunities to earn while working from home.

Clicking the link redirects the user to a site that is now inactive. However, based on Whois.Net’s domain name records, the URLs were only created in August of this year, most probably just for spamming purposes. It is, after all, not uncommon for spammers to register domains for the minimum time period allowable to further their malicious profiteering activities.

Users are thus warned not to click links to unknown sites no matter how tempting the offer they put on the table may be. If you’re really interested in getting a legitimate job or a means to earn more, go to a trusted job-search site. Do not trust everything you read on email, especially if you do not know who the email came from.

Trend Micro Smart Protection Network™ protects users from spamming attacks by blocking unwanted email and preventing user access to malicious sites. Mac users can enjoy the same benefits by using Trend Micro Smart Surfing for Mac.

Non-users of Trend Micro products can also stay protected from such attacks with free antivirus tools such as eMail ID and Web Protection Add-On.