Fake Zbot Site Poses as CDC H1N1 Flu Vaccine Info

by

Share this news now.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The newest victim of the faux-Web-sites-posing-as-government-pages scam is the Centers for Disease Control and Prevention. In the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organizations, we’re seeing a new scam to infect computers with Trojan-Phisher-Zbot that pretends to be a “Personal H1N1 Vaccination Profile.”

As with the previous scams, dozens of Web servers are involved. The URLs involved in the scheme all begin with the “http://online.cdc.gov” — the “online.” subdomain is not used by the CDC — followed by a six- to seven-character random domain name and a non-.gov top-level domain.

The text of the page reads

Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below

There’s a link labeled “Download Archive (130Kb)” that, when you click it, pulls down the Zbot installer from the malicious server. The file name is vacc_profile.exe. Please don’t execute this file if you happen to download it.

This particularly pernicious program appears to have a perspicacity for FTP passwords. It appears to target several popular Windows FTP and SCP client applications, including SmartFTP, WSFTP, FlashFXP, CoreFTP, FTP Commander, Total Commander, WinSCP, FileZilla, and FAR Manager. If you typically save your FTP credentials in these applications, Zbot will seek them out.

Webroot has implemented procedures to warn you when you visit one of these sites. Anyone using our software who has their File System Shield active will see a warning if you follow a malicious link. If you get this warning message, close the browser window, perform a full sweep of your computer — and change the passwords to any FTP accounts that have been saved in any of the client apps listed above.
wordpress blog stats


Share this news now.
0 comments

Trackbacks

  1. [...] This post was mentioned on Twitter by Webroot and Cas Purdy, The Rockport Voice. The Rockport Voice said: RT @webroot: Threat – and health – alert: Beware of bogus CDC H1N1 flu vaccine info http://bit.ly/6qQRL2 [...]

  2. Zeus/Zbot: Méfiance quant aux emails concernant les vaccinations H1N1…

    You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reache…

  3. [...] who are currently flooding the Internet with bogus Facebook “Update Tool,” CDC “H1N1 Flu Vaccination Profile,” and IRS “Tax Statement” emails and Web pages are at it again — this time, [...]

  4. [...] that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even [...]

  5. [...] that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even [...]

  6. [...] many of the previous Zbot campaigns (such as those targeting the IRS, CDC, Visa, and other organizations, as well as software programs like Microsoft Outlook, or Web sites [...]

  7. [...] seen where the scammer sets up Web sites in the guise of such notable organizations as the IRS, CDC, Visa, and other organizations, or software programs like AOL Instant Messenger and Microsoft [...]

  8. [...] its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many [...]