copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

Recent phishing emails from US-CERT addresses.

Date: 11 January 2012

Click here for printable version

AusCERT has started receiving spam messages reporting to be from US-CERT. These messages appear valid, despite the lack of a PGP signature, and somewhat ironically refer to an investigation into a phishing email incident which even includes a fake incident tracking number. The emails contain a short message about the phishing email and direct the user to a report in an attached file for more information. This attachment is a .zip file containing an .eml.exe file, which in turn contains an infector for the Zeus-bot trojan malware.

To date we have received two separate emails in connection to this spam, one from an .ru domain and one from an .info domain. These two emails are almost identical but do contain different case numbers and a differently named .zip attachment. Both attachments contain a file named “US-CERT Operations Center Report.eml.exe”. Upon execution this file will infect the user with the Zeus-bot trojan malware.

Just goes to prove that you should not trust unsolicited emails, even from a CERT.

Cheers,

Angus

The report on the malware attachment from Virus Total:

http://www.virustotal.com/file-scan/report.html?id=293cbbc0549a4139a2c76499845de4943379c12562e99fae16b09353d9713075-1326233226

The Symantec description of the Zeus-bot trojan malware:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

A Sample of the spam message:

“US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing. Please check attached report for the details and email sourceUS-CERT has opened a ticket and assigned incident number PH0000000723968. As your investigation progresses updates may be sent at your discretion to soc@us-cert.gov and should reference PH0000004914674.Thank you,US-CERT Operations Center888-282-0870soc@us-cert.gov http://www.us-cert.gov”