Today, our research team has confirmed a massive spam campaign leveraging ZeuS GameOver, is now targeting major banks, social networks, and other enterprises.
How is the spamming taking place?
Hundreds of unsolicited emails, impersonating “Broad Oak Toiletries Ltd”, are targeting these organizations. To inspire trust, the emails have the word Invoice and a few random numbers on the subject line and pretends to have been scanned by Symantec Email Security cloud service. In the body of the email, the recipients are being asked to communicate a payment date to an account administrator for the invoice attached.
The email includes a ZIP archive named ‘Invoice [random number] March 2014.zip’ and contains an executable file posing as a Word document. Upon opening, the file will attempt to download a binary form of 55 different URLs. Following this, approximately 35 websites will be serving up the payload of ZeuS GameOver, with the Narcus rootkit and some ransomware.
Who’s the target?
We have confirmed that the attack is being active against the websites listed on Pastebin here. The list includes USAA, Deutsche Bank, Bank of America, Facebook and Twitter.
What can you do?
Unfortunately, there is little to nothing organizations can do to prevent attacks from happening, since the spread of the attack is out of their control.
Institutions should scrutinize the online sessions across all of their digital channels (both online and mobile), especially for the targets identified in the Pastebin list.
In addition, banks and other enterprises should increase their visibility toward end-user devices, to better identify the health of the devices they are interacting with.
And finally, in events like this, organizations benefit from services that monitor the black markets, to determine quickly if they are an active target and reduce the effective time and losses from an attack.