Since the outbreak of the Ebola virus in December 2013 and increasing media fervor in the past couple of months, the scare has attracted worldwide attention. Cashing in on the hype, Symantec security blog has reported a series of malware and phishing operations using the Ebola virus as a social engineering theme.
The blog reports social engineering as the framework behind one phishing and three malware attacks capitulating on Ebola-related concerns.
One such attack sends unsuspecting users an email imitating a health report on the current state of the Ebola virus, consequently infecting users with the Trojan.Zbot malware. Zbot has been observed in most major Windows operating systems from Windows NT (1993) up to Windows 7.
In another case, cybercriminals send out an email that impersonates a major telecommunications services provider and claims to offer a high-level presentation on the Ebola virus. An attached zip file with a title like “EBOLA – PRESENTATION.pdf.zip” actually executes Trojan.Blueso on the victim’s computer. Unlike the Zbot Trojan, Blueso itself is not the final goal in this attack; instead, it injects spyware Win32.Spyrat into the victim’s web browser and proceeds to use keyloggers, capture screenshots, and potentially activate the user’s webcam.
The third campaign piggybacks on some fresh Ebola news. In the last two weeks there has been talk of Zmapp, a promising Ebola drug still in experimental stage. The crooks entice their victims with an email claiming the Ebola virus has been cured and the news should be shared widely. The email attachment is Backdoor.Breut malware. Breut records keystrokes and has the potential to continue downloading additional files to the infected computer.
And last is a phishing campaign that impersonates CNN with breaking Ebola news. It gives a brief story outline and includes links to an ‘untold story’. The email also promises ‘How-to’ precaution information and a list ‘targeted’ regions. If the user clicks on the links in the email they are sent to a web page, asked to select an email provider, and asked to input their login credentials. If the user performs this action, their email login credentials will be sent directly to phishers. The victim, unaware, is redirected to the real CNN home page.