Fake Swine Flu Emails Lead to Real Malware Infection

Security companies warn of e-mails that appear to come from the Centers for Disease Control but lead to the Zeus Trojan

A new malware campaign uses faked e-mails that appear to inform of H1N1 vaccination programs from the Centers from Disease Control, but actually attempts to install the Zeus Trojan.

Both McAfee and Symantec issued warnings about the toxic e-mails, which are spoofed to look like they were sent from the "Centers for Disease Control and Prevention (CDC)," according to a screen shot in McAfee's post. Subject lines vary, but might be "Your personal Vaccination Profile" or "Governmental registration program on the H1N1 vaccination." See either Symantec's post or McAfee's warning for more subject line examples and the e-mail body text.

A link in the e-mail leads to a malicious but real-looking site where victims are supposed to download a tool to create a vaccination profile (see either post above for a screen shot). The URL for the site uses the common tactic of starting with a genuine-looking name - in this case, online.cdc.gov... - but ending with a domain such as ...yhnbad.com.im. The domain-name highlighting feature in IE8 can help foil this trick, as can the Locationbar2 add-on for Firefox.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A new malware campaign uses faked e-mails that appear to inform of H1N1 vaccination programs from the Centers from Disease Control, but actually attempts to install the Zeus Trojan.

Both McAfee and Symantec issued warnings about the toxic e-mails, which are spoofed to look like they were sent from the "Centers for Disease Control and Prevention (CDC)," according to a screen shot in McAfee's post. Subject lines vary, but might be "Your personal Vaccination Profile" or "Governmental registration program on the H1N1 vaccination." See either Symantec's post or McAfee's warning for more subject line examples and the e-mail body text.

A link in the e-mail leads to a malicious but real-looking site where victims are supposed to download a tool to create a vaccination profile (see either post above for a screen shot). The URL for the site uses the common tactic of starting with a genuine-looking name - in this case, online.cdc.gov... - but ending with a domain such as ...yhnbad.com.im. The domain-name highlighting feature in IE8 can help foil this trick, as can the Locationbar2 add-on for Firefox.

The downloaded executable is of course the Trojan payload, which McAfee lists as a "very recent Zeus Trojan variant." Uploading such downloaded files to Virustotal.com can help identify new malware that some malware engines might miss.

For more PC news, visit PC World. Story copyright PC World Communications, Inc.