Trend Micro researchers recently found spam emails fashioned to come from Federal Insurance Deposit Corporation (FDIC). The email message informs users that they should visit the “official” FDIC’s website (provided in the email) to check their Deposit Insurance Coverage.
However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.
TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.
Here’s a list of domains used in this spam wave:
According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.
He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.
As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.