Hackers pose as hacked software vendor to spread Zeus trojan

And register a typosquatter-like domain of vendor as redirect page to Blackhole exploit kit.
  • Liam Tung (CSO Online (Australia))
  • — 23 July, 2012 09:32

Hackers are sending well-crafted malicious spam to customers of software vendor MapleSoft whose details were stolen in a recent data breach.

The company, which makes modelling and educational software for engineering and other sciences, reported last week its administrative database was breached on July 17, exposing email addresses, first and last names and the name of the institution the contact was from.

Its clients include the University of New South Wales, which hosts the software at its School of Mathematics and Statistics labs.

MapleSoft said the perpetrators appeared to be using details taken from the database to encourage victims to install malware, which Symantec has confirmed as the Zbot (Zeus) trojan.

The attackers sent the vendor’s customers an email purporting to be from the “MapleSoft Security Update Team”, which advised them to immediately apply a security patch for MapleSoft's software or risk “sever system crashes and data loss”, according to one email published by Symantec.

On the day of the MapleSoft data breach the attackers had also registered “maple-soft.com”, nearly identical to the real maplesoft.com. The fraudulent domain was included in spam that encouraged targets to click the link in the message. The page is used to redirect victims to a Blackhole exploit kit page.

“While we have seen plenty of database breaches in recent weeks, none have resulted in a crafted campaign such as this. This just goes to show how these types of attacks have evolved from blind phishing to more sophisticated, targeted messages. Having this type of data on-hand is like having an ace up the sleeve,” wrote Symantec security response engineer, Jeet Morparia.

The attackers had initially attached the fake patch as a ZIP file but quickly changed tactics, H-Online reported.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »