Phishing Campaign Using Spoofed US-CERT Email Addresses

On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector
organizations as well as federal, state, and local governments.

US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.

Reports indicate that [email protected] is the primary email address
being spoofed but other invalid email addresses are also being used.

The subject of the phishing email is: “Phishing incident report call number: PH000000XXXXXXX” with the “X” containing an incident report number that varies.

The attached zip file is titled “US-CERT Operation Center Report XXXXXXX.zip”, with “X” indicating a random value or string. The zip attachment contains an executable file with the name “US-CERT Operation CENTER Reports.eml.exe”, which is a variant of the Zeus/Zbot Trojan known as Ice-IX.

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up to date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.