by Dave Michmerhuizen & Luis Chapetti – Security Researchers
When criminals use computers to steal money, they don't usually go after private individuals. The average person doesn't keep a sizable sum in retail banking account, and they are protected by law, so banks keep relatively close watch for unusual activity affecting personal accounts.
Instead, most computer criminals target commercial banking accounts. Not only do small and medium sized business accounts carry much heftier balances, banks transfer more risk onto those balances. To quote the New York Times, “[business] owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts. Many are shocked to learn that most banks do not take responsibility for unauthorized debits from business accounts.”
Computer criminals are well aware of all this, and when they send out malicious spam more often than not, it is made to attract the attention of small business owners and employees. Getting malware installed on the right business computer can can result in a huge payoff for the crooks. One of the most common, best targeted and most damaging families of malware is Zeus, a credential stealer that silently relays user account names and passwords back to criminals who use that information to carry out bank theft.
We're going to show you some examples of how Zeus distributors craft their messages to pique the interest of business people, along with some advice about what not to do.
The subjects of these emails tend to be about sales, orders, invoices and payments. Interesting stuff, sure to attract the attention of anyone trying to do business today. None of these are legitimate, instead they all carry a dangerous payload.
Here is a gallery of samples, the sort of thing to treat gingerly if they appear in your inbox. Click on any message to see it full size
The wording is always just a bit vague, probably because these emails aren't intended to convey any real information, they're designed to spark users curiosity and make them to wonder about the contents.
If users drop their guard and open the attached .zip file they will find an executable program to run. You should never, ever proceed beyond this step. In fact, Windows will ask users to confirm that they know what they are doing.
If a user does press run, nothing seems to happen. There is no order, no payment, no inquiry. They are left looking at the email wondering what happened.
What happened is Zeus, it has installed and is quietly camped out inside their web browser, watching the pages that go by and selecting any usernames and passwords supplied by logging into important sites. Every so often it sends a message to a remote web site passing along what it has found.
Zeus network traffic – (click for full size image)
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of these threats.