The attackers behind the Zeus Trojan have unleashed a new phishing scam that is specifically targeted at users of the popular corporate webmail tool Outlook Web Access. The phishing emails include the recipient’s actual email address and appear to be an update to the OWA application.
The mail messages have been making the rounds this week and have hit a number of organizations. They are designed to look as if they come from a company’s IT department and instruct the recipient to visit a Web site to update the settings on his OWA account. OWA is used widely in enterprises that rely on Microsoft’s Outlook email system. The Web access component enables users to access their email from home or other PCs that are not part of the corporate network.
When a victim visits the malicious Web site (above) that is part of this phishing campaign, he gets a nasty surprise in the form of the Zeus Trojan, which is downloaded to the victim’s PC. Zeus is a multi-faceted Trojan whose main reason for being is to steal banking credentials from infected PCs and package them up for later use.
On the Cyber Crime & Doing Time blog, Gary Warner points out that the messages are using subject lines and text that look very enticing for users.
The email subjects which have been used have been:
A new settings for for the email@example.com mailbox has just been released
For the owner of the firstname.lastname@example.org mailbox
The settings for the email@example.com mailbox were changed
Users have been trained to avoid scams that look like they’re from eBay or PayPal, but messages like these, that look like they’re coming from tech support, are much harder for them to decipher.