Phishing Campaign Using Spoofed US-CERT Email Addresses

On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state, and local governments.

US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.

Reports indicate that [email protected] is the primary email address being spoofed but other invalid email addresses are also being used.

The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.

The attached zip file is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX.

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify