Threat Research & Response Blog
This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier's website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email.
Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see:
Important Account Information from Verizon Wireless TRACK-ID: 15730301098
I was also addressed in the email in a rather peculiar way, "Hello Dear!". Only my aunt ever calls me "dear", so I knew it was a phony. Below is a copy of the spammed message:
The email messages have been spammed with varying elements among recipients. For instance, the "Total Balance Due" amount is different among samples spotted in-the-wild, with a leading zero when the amount is less than 1000:
Total Balance Due: $1589.55Total Balance Due: $1366.06Total Balance Due: $0257.93
The subject line is also not fixed and alters among recipients, in at least three different formats:
Subject: Important Account Information from Verizon Wireless TRACK-ID: 70341011278Subject: Important Account Information from Verizon Wireless TRACK-ID: 12904962494Subject: Important Account Information from Verizon Wireless, ID: 79PZ0SZ95HCLDSubject: Important Account Information from Verizon Wireless, ID: OW0ORPE4SGTSTSubject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 16:59:40 +0100Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 20:13:33 +0200
This suggests automation may be at play. The email carries a file attachment as a ZIP archive, commonly named "Verizon-Wireless-Account-StatusNotification_#######.zip", such as "Verizon-Wireless-Account-StatusNotification_3518066.zip". Within the attached archive, is an executable bearing a similar name such as "Verizon-Wireless-Account-Status-Notification-Dec-2011.exe" (SHA1: d4b12df0eb31457ad3d2197e9993f16a1f1a53eb).
While I was writing this article, the spam campaign altered to target Adobe software:
At this time, there is limited detection among vendors - we identify it as PWS:Win32/Zbot.gen!Y. Be wary of messages that may appear to be from known entities and use security software to minimize the chance of infection.
-- Patrick Nolan, MMPC