Zeus – Exploiting Spear Phishing to Spear Phish

The Zeus crimeware family has moved into new territory with its latest spam campaign – purporting to be a warning about targeted phishing attacks on “.gov” and “.mil” domains, by Zeus Trojans no less!

In fact, one of the latest spam samples we’ve seen, duplicates the title and first three paragraphs of a blog entry by well-known security expert Brian Krebs, which discusses a previous iteration of this Zeus attack. As seen below, the spam sample starts off with the same three lines of the blog post, before starting into the phony KB content and links that lead to Zeus malware.

zbot spearphish

Note that while reports on the initial campaign suggest only “.gov” and “.mil” addresses were targeted, we have seen these later samples from a wider variety of sources. Thus, if you were an (un)lucky recipient and unfortunately followed the link, be sure to scan your system with the Sophos Anti-Rootkit tool (free for download) to detect and remove the threat.