U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Phishing Campaign Using Spoofed US-CERT Email Addresses

Original release date: January 10, 2012 | Last revised: October 23, 2012

On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state, and local governments.

US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.

Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.

The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.

The attached zip file is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX.

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top