Citibank Phishing Campaign Leads to ZeuS Malware

 Analysis by: Lala Manly

Spammed messages that land users to websites hosting black hole exploit kits are spotted in the wild again. This phishing campaign purports to come from Citibank and makes use of a legitimate Citibank email notification template to trick users into thinking it is legitimate. It bore the subject, Your Citi Credit Card Statement and has a forged header information. In addition, the visible URLs in the email message are also legitimate Citibank URLs so unwary users may fall into this lure.

It contains a URL that redirects to a site hosting a malicious JavaScript.



The said script points users to a black hole exploit kit server http://{BLOCKED}.{BLOCKED}.39.83. This then executes the exploit code to install various malware onto infected systems. Black hole exploit kits are known to take advantage of various software vulnerabilities to execute ZeuS malware.

 SPAM BLOCKING DATE / TIME: May 14, 2012 GMT-8
 TMASE INFO
  • ENGINE:
  • PATTERN:8904