Latest Zeus Zishing campaign is fall-out from RSA’s hack earlier this year

Reports that a malware distribution campaign designed to spread the infamous Zeus malware – aka Zbot – is an interesting twist on the long-running evolution of the malware.

Zeus has been more commonly associated with online banking session hijacks, so to hear that a new campaign to spread the malware by tapping fears surrounding the RSA SecurID authentication technology is a new attack vector.

RSA’s hack of earlier this year was clearly mishandled by the company, as users of SecurID had to wait almost two weeks before they knew anything other than the fact that RSA’s servers had been seriously hacked.

Furthermore, large numbers of SecurID users are reportedly waiting for the distribution of new hardware tokens, a process that could take a great deal of time to complete. This distribution campaign for Zeus plagues on the fears of SecurID’s security issues by warning them of security vulnerability that requires immediate patching using downloaded software.

And to make the emails look more genuine, the hackers behind the latest Zeus campaign claim that the messages come from the National Security Agency in the US, amongst other sources.

This encourages users of SecurID to click on the URL in the email to download the required security patch – a process that a small minority of users, perhaps worried for the sanctity of their SecurID tokens, may do instinctively.

The link in the fake lures then triggers a download of Zeus, as well as other malware that can cause security problems for the user whose machine that is being targeted.

What this shows is that users of SecurID have become potential targets for this specialist phishing technique – which his research team are calling Zishing – as a direct result of the poor way in which RSA handled news of its servers being hacked, resulting in their having to wait around 10 days to get official confirmation that the RSA servers had been compromised.

Regardless of what this new attack vector is being called, the reality is that there a sizeable minority of SecurID users who are sufficiently worried about the widely-publicised hack of earlier this year, and who will click on the relevant URL as a result.

The success of this Zishing attack vector is the direct result of RSA inadequate and belated response to news of a break-in to its servers. Had the firm launched a better response as soon as the incident took place, then this infection campaign would not have any effect on users at all. It might also not have happened at all.

Andrew Kemshall is co-founder of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next generation authentication software.