Dec 3, 2009
Several security vendors are reporting a large malware campaign taking advantage of interest in H1N1 vaccinations.
The e-mails claim to link to a Web page for the Centers of Disease Control and Prevention where users can register for a new “State Vaccination H1N1 Program.” However, anyone who clicks on the link ends up with the Zeus Trojan, a prevalent piece of malware used to steal data off of compromised machines.
Security company AppRiver detected the campaign around 8:15 a.m. (CST) Dec. 1, and a hour later was filtering about nearly 18,000 e-mails per minute.
According to Symantec, the domain used in the e-mail links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im, such as online.cdc.gov.yhnbad.com.im.
“As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file,” blogged Hon Lau of Symantec. “This one is named vacc_profile.exe and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also ‘personalized’ with the e-mail address of the recipient to make it look that little bit more authentic and less like mass-mailed spam.”
The subject lines of the e-mails vary, but some of the ones that have been observed are “Governmental registration program on the H1N1 vaccination” and “Your personal Vaccination Profile.”
If you have any doubt about the authenticity of the e-mail, don’t click it. Information about H1N1 can be found here on the CDC Website.