A phishing attack aimed at small businesses accounted for as much as a third of all global junk email–or more than a quarter of all e-mail–for a 15-minute period Friday, showing that the Zeus family of keystroke-logging software remains a force to be reckoned with despite a recent spate of arrests.
The attack took the form of e-mails that had subject headings beginning “Your Federal Tax Payment” and said an electronic transfer had been rejected because of an invalid corporate identification number. Following a recent trend in such scams, the e-mails contain links to a genuine web page, in this case a US site that collects tax payment information including bank account numbers.
The problem comes both before and after the recipients reach that destination. En route there, they are taken to a series of other sites that check what software is on the prospective victim’s PC. More than half the time, researchers at Solera Networks said, those PCs will be vulnerable to one of two techniques the websites use to break in and install a version of the Zeus program for intercepting online banking transaction data.
The first flaw is in older but still-common versions of the Java virtual machine, fixed in recent weeks, while the second is a hole in Adobe Reader versions 9.1 and older.
If either technique works, by the time that the victim gets to the US tax page a few second later, everything entered there and on other sites in the future will be recorded and shipped off to the criminals, who will begin taking money from the victim’s accounts.
The phishing attack, one of scores under way at any given time, once again points up the severe problems with the state of consumer IT security. Even if operating systems are patched, the vast majority of PCs are running other programs with known, critical vulnerabilities that they have not bothered updating.
I strongly recommend a free tool from Secunia, available here, that will scan your PC for software that needs patching.
Cisco Systems’ spam monitors reported a few spikes in the latest Zeus e-mail campaign, with it peaking Friday, a deadline for quarterly tax filings by businesses.
Solera said it planned on notifying tax authorities, who could post a warning on the website. Just for the record, the IRS does not notify people of tax problems via e-mail.
