Although the Twitter password reset email is an old theme, cybercriminals continue using it, perhaps due to its success. This currently ongoing campaign, is attempting to trick the user into executing Twitter_security_model_setup.zip which is hosted on Google Groups. The use of legitimate hosting providers is prove to increase over time, due to the clean IP/network reputation of their servers, compared to a purely malicious infrastructure.
What's even more special about this Latvia based hosting provider, is the fact that one of Koobface botnet's original command and control servers (urodinam(dot)net) is not just currently parked there, but also, the fact that another domain is currently responding to the same IP, this time serving client-side exploits.
This currently spamvertised campaign, is relying on thousands of automatically generated short URLs, or subdomains at free site hosting services, in an attempt to trick the user into downloading and executing the tax-statement.exe ZeuS crimeware binary.
Just like the Twitter password reset notifications, this campaign once again demonstrate the cybercriminal's interest in (supposedly) increase the average life time of their campaigns, by relying on thousands of URLs generated through legitimate services.
According to Sophos Labs, another currently spamvertised campaign is using Changelog_07.06.20010.zip attachments, with the samples detected as Mal/BredoZp-B and Mal/Zbot-U.
A recent update on the post indicates that the spamvertised attachments are now using the correct year. From a social engineering perspective, the campaign -- thankfully -- lacks key features that would have made it a mass marketing success.
Cybercriminals are constantly busy, looking for new ways, or tweaking the old ones, with a single idea in mind - infecting as many hosts, as efficiently as possible. Understanding how they work and what makes the cybercrime ecosystem work, is crucial to protecting yourself against the campaigns scheduled for tomorrow.