Zeus Trojan distribution campaign targets RSA SecurID customers

Security researchers are warning about a new e-mail-based malware distribution campaign targeting customers of RSA's SecurID tokens.

Security researchers are warning about a new e-mail-based malware distribution campaign targeting customers of RSA's SecurID tokens.

The campaign seeks to capitalise on the data breach at EMC's RSA security division in March.

The malicious e-mails appear to come from RSA and include the logos of the US National Security Agency and Central Security Service.

The messages warn, in poor English, that "a unsafe vulnerability has been discovered in a certain types of our token devices" and provides links to check if RSA SecureID tokens are safe and a security software update.

However, both these links will trigger a download of a variant of the ever-persistent ZBot (Zeus) family of Trojans, said Troy Gill, researcher at security firm AppRiver.

"While I don't expect most individuals to fall for this, there is also a great amount that will, some of which who will mentally make some connection to the RSA breach," he wrote in a blog post.

Gill said the connection with the high-profile breach may give the messages the air of legitimacy and trick recipients into clicking the links.

RSA's authentication tokens are used by employees in government agencies, contractors, companies and organisations around the world.

The supplier initially claimed the data breach did not pose any serious risk, but after breaches at customer sites, RSA agreed to replace all tokens.

RSA has been criticised for delays in giving customers any details of the breach, admitting its security implications, and in replacing the tokens.

The Zbot distribution campaign shows that users of SecurID have become potential targets for this specialist phishing technique, said Andrew Kemshall, chief technology officer at multi-factor authentication firm, SecurEnvoy.

"There a sizeable minority of SecurID users who are sufficiently worried about the widely-publicised hack of earlier this year, and who will click on the relevant URL as a result," he said.

According to Kemshall, the vulnerability of SecurID customers to this campaign is the direct result of RSA's inadequate and belated response to news of a break-in to its servers.

"Had the firm launched a better response as soon as the incident took place, then this infection campaign would not have any effect on users at all," he said.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.