Reports that a malware distribution campaign designed to spread the infamous Zeus malware - aka Zbot - is an interesting twist on the long-running evolution of the malware, says SecurEnvoy.
According to Andrew Kemshall, CTO with the multi-factor authentication specialist, Zeus has been more commonly associated with online banking session hijacks, so to hear that a new campaign to spread the malware by tapping fears surrounding the RSA SecurID authentication technology is a new attack vector.
"RSA's hack of earlier this year was clearly mishandled by the company, as users of SecurID had to wait almost two weeks before they knew anything other than the fact that RSA's servers had been seriously hacked," he said. "Furthermore, large numbers of SecurID users are reportedly waiting for the distribution of new hardware tokens, a process that could take a great deal of time to complete," he added. The SecurEnvoy CTO went on to say that this distribution campaign for Zeus plagues on the fears of SecurID's security issues by warning them of security vulnerability that requires immediate patching using downloaded software.
And to make the emails look more genuine, the hackers behind the latest Zeus campaign claim that the messages come from the National Security Agency in the US, amongst other sources. This, he explained, encourages users of SecurID to click on the URL in the email to download the required security patch - a process that a small minority of users, perhaps worried for the sanctity of their SecurID tokens, may do instinctively, he explained. The link in the fake lures then triggers a download of Zeus, as well as other malware that can cause security problems for the user whose machine that is being targeted.
What this shows, says Kemshall, is that users of SecurID have become potential targets for this specialist phishing technique - which his research team are calling Zishing - as a direct result of the poor way in which RSA handled news of its servers being hacked, resulting in their having to wait around 10 days to get official confirmation that the RSA servers had been compromised. "Regardless of what this new attack vector is being called, the reality is that there a sizeable minority of SecurID users who are sufficiently worried about the widely-publicised hack of earlier this year, and who will click on the relevant URL as a result," he said. "The success of this Zishing attack vector is the direct result of RSA inadequate and belated response to news of a break-in to its servers. Had the firm launched a better response as soon as the incident took place, then this infection campaign would not have any effect on users at all. It might also not have happened at all," he added.