Zeus' Social Security Statement Spam Campaign

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
 

Figure 2. This fake page asks for your social security number. 

Once an unsuspecting victim provides a social security number, they will arrive at the following page:

Figure 3.  The generated report page

This page informs the user that their statement has been generated and can be downloaded by clicking the “Generate Statement” button.  Clicking on this button initiates the download of an executable file, in this case statement.exe.

There are a few things that users should look out for. One is the seemingly random TLD (Top Level Domain) used in the URL.  The domain (fawaazq.be) used in this spam campaign is highlighted in red.  Also, organizations such as the Social Security Administration will almost never ask users to download and run executable files.

This file is malicious and is detected by Symantec as Infostealer.Banker.C. This malware attempts to intercept online banking traffic in order to gain access to and steal money from the victim.

Last week two people were arrested by the Greater Manchester Police in relation to Zeus. These arrests are positive developments in the war against online crime.  This latest Spam illustrates the need for us to keep our guard up and constantly watch out for this type of scam.