On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state, and local governments.
US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.
Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.
The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.
The attached zip file is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX.
US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.
- Do not open the attachments in email messages from unknown sources.
- Install anti-virus software and keep virus signatures files up to date.
- Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
- Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.