By Andrew Brandt
As the reign of nuisance by Trojan-Backdoor-Zbot continues, the latest scam invites victims to review a “transaction report” on a page supposedly on the Web site of the American Bankers Association, or ABA.
(I wouldn’t want to call it a reign of terror; that might give the Zbot authors an inflated sense of their own importance. Zbot is like a wasp buzzing around the picnic table, and deserves a good, sharp smack, preferably with a shoe.)
The “report” is, of course, an installer for this Trojan. The scam is virtually identical to ones we’ve seen where the scammer sets up Web sites in the guise of such notable organizations as the IRS, CDC, Visa, and other organizations, or software programs like AOL Instant Messenger and Microsoft Outlook, or Web sites such as Facebook.
As in the previous scams of this ilk, the URL that victims click includes the victim’s email address; That email address appears within the fake page, along with a bogus transaction ID and an outrageously large Amount of transaction — all information that’s designed to inspire a sense of panic and urgency in the victim, leading the victim to click the “generate transaction” link on the page and infect a computer with the Trojan.
The authors are using so-called fast flux techniques, returning up to 15 separate IP addresses each time the bogus domain names get looked up in the DNS system, to ensure the malicious domains remain active as long as possible. They’re also using a wider variety of top-level domains with the campaign, including the unusual .vc, which is assigned to the archipelago of St. Vincent and the Grenadines.
Webroot’s antimalware products can easily remove the Trojan from infected systems, but the best defense is to avoid getting sucked into scams like this in the first place. The ABA is a trade association, and isn’t in the business of sending out fraud alerts to customers. If you know that, it brings the absurdity of the entire situation out in stark relief.