?This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier’s website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email.
Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see:
Important Account Information from Verizon Wireless TRACK-ID: 15730301098
I was also addressed in the email in a rather peculiar way, “Hello Dear!“. Only my aunt ever calls me “dear”, so I knew it was a phony. Below is a copy of the spammed message:
The email messages have been spammed with varying elements among recipients. For instance, the “Total Balance Due” amount is different among samples spotted in-the-wild, with a leading zero when the amount is less than 1000:
Total Balance Due: $1589.55
Total Balance Due: $1366.06
Total Balance Due: $0257.93
The subject line is also not fixed and alters among recipients, in at least three different formats:
Subject: Important Account Information from Verizon Wireless TRACK-ID: 70341011278
Subject: Important Account Information from Verizon Wireless TRACK-ID: 12904962494
Subject: Important Account Information from Verizon Wireless, ID: 79PZ0SZ95HCLD
Subject: Important Account Information from Verizon Wireless, ID: OW0ORPE4SGTST
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 16:59:40 +0100
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 20:13:33 +0200
This suggests automation may be at play. The email carries a file attachment as a ZIP archive, commonly named “Verizon-Wireless-Account-StatusNotification_#######.zip“, such as “Verizon-Wireless-Account-StatusNotification_3518066.zip“. Within the attached archive, is an executable bearing a similar name such as “Verizon-Wireless-Account-Status-Notification-Dec-2011.exe” (SHA1: d4b12df0eb31457ad3d2197e9993f16a1f1a53eb).
While I was writing this article, the spam campaign altered to target Adobe software:
From: <no-reply @ adobe.com>
Date: 12/6/2011 9:00:59 AM
Subject: Adobe Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: AdobeSystems-Software_Critica Update_Dec_2011-6PGCF713B.zip
Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:
– Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange
To upgrade and enhance your work productivity today please open attached file.
Copyright 2011 Adobe Systems Incorporated. All rights reserved.
Adobe Systems Incorporated,
Tue, 6 Dec 2011 18:00:59 +0100
At this time, there is limited detection among vendors – we identify it as PWS:Win32/Zbot.gen!Y. Be wary of messages that may appear to be from known entities and use security software to minimize the chance of infection.
— Patrick Nolan, MMPC
Leave a reply