Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Oct27
    11:06 pm (UTC-7)   |    by

    Trend Micro researchers recently found spam emails fashioned to come from Federal Insurance Deposit Corporation (FDIC). The email message informs users that they should visit the “official” FDIC’s website (provided in the email) to check their Deposit Insurance Coverage.

    Click for larger view Click for larger view

    However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.

    TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.

    Here’s a list of domains used in this spam wave:

    • h1erfae.eu
    • h1erfai.eu
    • h1erfaj.eu
    • h1erfaq.eu
    • h1erfar.eu
    • h1erfat.eu
    • h1erfau.eu
    • h1erfaw.eu
    • h1erfay.eu
    • milki1a.co
    • milki1a.me
    • milki1e.me
    • milki1g.me
    • milki1i.co
    • milki1l.co
    • milki1y.me
    • nyuh1awa.eu
    • nyuh1awb.eu
    • nyuh1awc.eu
    • nyuh1awd.eu
    • nyuh1awf.eu
    • nyuh1awg.eu
    • nyuh1awh.eu
    • nyuh1awm.eu
    • nyuh1aws.eu
    • nyuh1awt.eu
    • nyuh1awv.eu
    • nyuh1awx.eu
    • tt1qwa1.eu
    • tt1qwa1.me
    • tt1qwae.eu
    • tt1qwae.me
    • tt1qwaq.co.uk
    • tt1qwaq.eu
    • tt1qwaq.me.uk
    • tt1qwar.co.uk
    • tt1qwar.eu
    • tt1qwar.me.uk
    • tt1qwat.co.uk
    • tt1qwat.eu
    • tt1qwat.me.uk
    • yh1qab.eu
    • yh1qab.me.uk
    • yh1qak.co.uk
    • yh1qak.eu
    • yh1qak.me.uk
    • yh1qal.eu
    • yh1qao.eu
    • yh1qao.me.uk
    • yh1qaz.me.uk

    According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.

    He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.

    As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice