In this most recent spam campaign, our spam traps caught an uncanny combination of a CapitalOne phish and a ZBOT variant. Below is a screenshot of an email sample making the rounds:
The spam campaign would have you believe that you would need to install a Digital Certificate in order to use CapitalOne’s website. Clicking on the email link brings you to the following site:
This is the phishing part. After filling in the required login information, the website now conveniently gives you a download link to the supposedly digital certificate:
The download link will lead you not to a digital certificate, but to a ZBOT variant. Running the so-called ‘digital certificate’ will only install the notorious ZBOT malware into your system, and will proceed to log your keystrokes, steal personally-identifiable information, and most especially, steal your personal financial information. Trend Micro now detects the said ZBOT malware as TROJ_ZBOT.CKA.
The above website does not only host a CapitalOne phish, but also a Bank of America phish. Earlier this week, the same group also had a spam campaign, but was pushing a BoA phish:
The phishing website in that campaign asks a lot of questions–three pages full of these. It basically asks all of your personal information pertinent to your banking account:
| 
|  |
The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:
- 11qioz.co.uk
- 11qwod.co.uk
- easder1q.co.uk
- f1iiitl.com
- iiizad1z.co.uk
- ij1tli.com
- ltiil1.com
- nekz1mqv.co.uk
- nezz1cza.co.uk
- racder1c.net
- racder1x.com
- raeder1f.net
- rarder1g.com
- raxsder1.com
- t1fliil.tc
- tj1fiil.co.nz
- uunuyr.com
- yyy1yyrd.co.uk
- yyy1yyre.co.uk
- yyy1yyrf.co.uk
- yyy1yyrg.co.uk
- yyy1yyrj.co.uk
- yyy1yyrk.co.uk
- yyy1yyrl.co.uk
- yyy1yyrm.co.uk
- yyy1yyro.co.uk
- yyy1yyrq.co.uk
- yyy1yyrr.co.uk
- yyy1yyru.co.uk
- yyy1yyrv.co.uk
- yyy1yyrx.co.uk
The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs.
The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.
Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.
Post from: TrendLabs | Malware Blog - by Trend Micro
ZBOT and a CapitalOne Phish
