Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Phishing Campaign Using Spoofed US-CERT Email Addresses

Original release date: January 10, 2012 at 2:06 pm
Last revised: January 11, 2012 at 4:58 pm


On January 10, 2012, US-CERT received reports of a phishing campaign
that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot
Trojan known as Ice-IX. This campaign appears to be targeting a large
number of private sector organizations as well as federal, state, and
local governments.

US-CERT advises that users do not open the email or any of the
attachments and promptly delete the email from their inboxes.

Reports indicate that SOC () US-CERT GOV is the primary email address
being spoofed but other invalid email addresses are also being used.

The subject of the phishing email is: "Phishing incident report call
number: PH000000XXXXXXX" with the "X" containing an incident report
number that varies.

The attached zip filed is titled "US-CERT Operation Center Report
XXXXXXX.zip", with "X" indicating a random value or string. The zip
attachment contains an executable file with the name "US-CERT
Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot
Trojan known as Ice-IX.

Ice-IX is a slightly modified version of the 2.0.8.9 source code that
was publicly released last year. Details of the malware were obtained
via third party reporting and reveals a fast-flux hosting
infrastructure known as the Avalanche bot-net, with callback to
domains located in Russia.

US-CERT encourages users to do the following to reduce the risks
associated with this and other phishing campaigns.
  * Do not open the attachments in email messages from unknown
    sources.
  * Install anti-virus software and keep virus signatures files up to
    date.
  * Refer to Recognizing and Avoiding Email Scams (pdf) documents for
    more information on avoiding email scams.
  * Refer to the Avoiding Social Engineering and Phishing Attacks
    document for information on social engineering attacks.
  * Refer to Recovering from Viruses, Worms, and Trojan Horses
    document for additional information on how to recover from
    malware.

Relevant Url(s):
<http://www.us-cert.gov/cas/tips/ST04-014.html>

<http://www.us-cert.gov/cas/tips/ST05-006.html>

<http://www.us-cert.gov/reading_room/emailscams_0905.pdf>

====
This entry is available at
http://www.us-cert.gov/current/index.html#phishing_campaign_using_spoofed_us

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTw4Gnj/GkGVXE7GMAQLTpAf9EIRXRSJuuzWIOYCQdOKWYvaf2OD2s1wr
cwYkh/KfyR/5IRB0D+TIzgkuPOHRglbbTq9ImtArzpOYHFz7ueiUfk35uwWrlYwq
u65Yf4MfGxY+537edW1MxDhFncVm1UZkH0OnxVVblvCmgKRV5/vRrS2JGVgxTgky
9IE6PjRJ4jw4sWIFZUCjgWi+B7KxmAAJo3bQK95oW18Bhe+H30Ro6pRfxWKQY6s3
+d0M3aDw/u7YSsHFXQznEM2rVsGO93pefP/vL/arXzMeHinNa320U5LkwijNjhTg
Jqif0oJCrCJRZl6O003g54mcnaqb4tPWaG+W6pYxsshsdUU0eHR32g==
=YY3X
-----END PGP SIGNATURE-----