Malware Attack Lures Users With H1N1 Vaccination Scare
A phishing campaign, detected Tuesday, is luring users into downloading malware with a message that appears to be a health-related alert from the CDC regarding the flu strand H1N1, also known as swine flu. The phony health warning attempts to convince victims that they are part of a "State Wide H1N1 Vaccination Program," and tells them that they are required to create a vaccination profile on the CDC Web site.
Once users click on the embedded link, they are taken to a legitimate-looking replication of the CDC homepage, and given a fake temporary ID. They are then directed to click on yet another link that subsequently takes them to their "vaccination profile."
In reality, the link downloads an executable file that contains a copy of information-stealing malware suspected to be the renowned Zbot or Zeus Trojan. The Zbot Trojan then goes to work stealing sensitive data and login credentials off of users' machines, while installing additional malware without user authorization.
One of the downloaded malware pieces includes a keylogger, which can record keystrokes to steal financial passwords and banking information. It also enables remote hackers to take complete control of the infected computer.
Researchers at security company AppRiver said that they saw nearly 18,000 messages per minute netting more than one million messages in the first hour since this new variant Zbot Trojan was launched. Troy Gill, AppRiver security analyst, said that the high volume of messages he detected only applied to AppRiver's userbase, indicating that the virus has spread significantly more victims.
"Infection rates are pretty high due to the nature of it. People tend to fall for these things," Gill said. "(Attackers) tend to play on your fears. Those are usually more effective."
Gill said that he and other security researchers have seen a sharp uptick of swine flu-related malware over the last three months as the pandemic has swept across the U.S. and individuals have lined up in record numbers for H1N1 vaccinations. However, this particular malware attack distinguishes itself by the fact that it is registered to more than 50 domains -- 38 of which are sending traffic -- originating from the Isle of Man, he said.
To protect themselves, users are advised to keep anti-virus and anti-spam products up to date and refrain from clicking on e-mails from an unknown source, even if it appears legitimate or authoritative.
"User education is very important," Gill said. "This seems very obvious, but to a lot of people, it's just not."