CERT mailing list archives
Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses
From: Current Activity <us-cert () us-cert gov>
Date: Wed, 11 Jan 2012 17:01:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 US-CERT Current Activity Phishing Campaign Using Spoofed US-CERT Email Addresses Original release date: January 10, 2012 at 2:06 pm Last revised: January 11, 2012 at 4:58 pm On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state, and local governments. US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes. Reports indicate that SOC () US-CERT GOV is the primary email address being spoofed but other invalid email addresses are also being used. The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies. The attached zip filed is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX. Ice-IX is a slightly modified version of the 2.0.8.9 source code that was publicly released last year. Details of the malware were obtained via third party reporting and reveals a fast-flux hosting infrastructure known as the Avalanche bot-net, with callback to domains located in Russia. US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns. * Do not open the attachments in email messages from unknown sources. * Install anti-virus software and keep virus signatures files up to date. * Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams. * Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks. * Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware. Relevant Url(s): <http://www.us-cert.gov/cas/tips/ST04-014.html> <http://www.us-cert.gov/cas/tips/ST05-006.html> <http://www.us-cert.gov/reading_room/emailscams_0905.pdf> ==== This entry is available at http://www.us-cert.gov/current/index.html#phishing_campaign_using_spoofed_us -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTw4Gnj/GkGVXE7GMAQLTpAf9EIRXRSJuuzWIOYCQdOKWYvaf2OD2s1wr cwYkh/KfyR/5IRB0D+TIzgkuPOHRglbbTq9ImtArzpOYHFz7ueiUfk35uwWrlYwq u65Yf4MfGxY+537edW1MxDhFncVm1UZkH0OnxVVblvCmgKRV5/vRrS2JGVgxTgky 9IE6PjRJ4jw4sWIFZUCjgWi+B7KxmAAJo3bQK95oW18Bhe+H30Ro6pRfxWKQY6s3 +d0M3aDw/u7YSsHFXQznEM2rVsGO93pefP/vL/arXzMeHinNa320U5LkwijNjhTg Jqif0oJCrCJRZl6O003g54mcnaqb4tPWaG+W6pYxsshsdUU0eHR32g== =YY3X -----END PGP SIGNATURE-----
Current thread:
- Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses Current Activity (Jan 11)