Zeus malware distributed through browser warning: social engineering at
its finest
Dec 5, 2014
Zeus malware continues to plague the Internet with distributions through
spam emails and embeds in compromised corners of the web – all designed
to exploit unsuspecting consumers. PhishLabs' R.A.I.D. (Research
Analysis and Intelligence Division) recently observed the Zeus malware
being distributed through an alarmingly convincing browser warning that
prompts viewers to download and “restore settings.”
Figure 1 (below) shows the browser warning which is designed to
manipulate viewers so that they believe the alert is based on security
preferences that he or she has previously set up. The message creates a
sense of urgency and fear, warning of “unusual activity.” The path of
origin for how victims encounter this browser message is still under
investigation by the PhishLabs R.A.I.D.
---------------
"The path of origin for how victim's encounter this browser
message is still under investigation..."
What a load of bull####. Just look at the garbage pile of
outgoing servers that you browser is being asked to contact
during a typical browsing session and it's no wonder that
hackers can hijack the DNS entries or even the servers
for those ad-servers, beacons and click-trackers and cause
these spurious warnings to scare people into clicking
what the hackers want them to click.
What exactly is being done by the various anti-junk programs
to completely eliminate this garbage content from a user's
browsing experience? I'll tell you -> nothing. Because
of the vested interest the industry has in making sure
your browser keeps accessing all those junky hosts so
that you are properly identified, tracked, and monetized.
Bottom line:
It's called a HOSTS file people. Use it.
---------------
Another observation that differentiates this malicious prompt from
others is the language usage and spelling. Generally speaking, grammar
and spelling are often indicators of fake or malicious requests that
lead to malware but cybercriminals have caught on to this vulnerability
and stepped up their game. Although it is not perfect, the warning
observed in this case was much more accurate than what we usually see.
The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”
We have detected unusual activities on your browser and the Current
Online Document File Reader has been blocked base on your security
preferences. It is recommended that you update to the latest version
available in order to restore your settings and view Documents."
=================
http://info.phishlabs.com/hs-fs/hub/326665/file-2183047529-png/blog-files/Zeus_
Browser_Warning.png
Figure 1. Browser warning leading to Zeus malware download.
==================
The fake browser warning requires the user to click the "Download and
Install" button. Once clicked, the victim is redirected to a site that
downloads the Zeus executable (Zbot) malware.
The R.A.I.D was able to track the malware back to the Zeus control
panel, shown in Figure 2.
==================
http://info.phishlabs.com/hs-fs/hub/326665/file-2184127607-png/blog-files/Zeus_
Control_Panel..png
Figure 2. Zeus (Zbot) malware control panel.
===================
Web users should be on the lookout for this kind of social engineering
that capitalizes on fear and misleads users to believe the alert is
showing up based on user-defined preferences. Zeus is a dangerous
malware that continues to be distributed through sophisticated avenues.
In the past, Zeus infections have led to exploitation of machines,
making them part of a botnet, as well as bank account takeovers and
fraud. Please stay tuned – we will post more information as our R.A.I.D.
further investigates the threat.
http://blog.phishlabs.com/zeus-malware-distributed-through-browser-warning-soci
al-engineering-at-its-finest
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|