This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier’s website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email.
Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see:
Important Account Information from Verizon Wireless TRACK-ID: 15730301098
I was also addressed in the email in a rather peculiar way, “Hello Dear!“. Only my aunt ever calls me “dear”, so I knew it was a phony. Below is a copy of the spammed message:
The email messages have been spammed with varying elements among recipients. For instance, the “Total Balance Due” amount is different among samples spotted in-the-wild, with a leading zero when the amount is less than 1000:
Total Balance Due: $1589.55
Total Balance Due: $1366.06
Total Balance Due: $0257.93
The subject line is also not fixed and alters among recipients, in at least three different formats:
Subject: Important Account Information from Verizon Wireless TRACK-ID: 70341011278
Subject: Important Account Information from Verizon Wireless TRACK-ID: 12904962494
Subject: Important Account Information from Verizon Wireless, ID: 79PZ0SZ95HCLD
Subject: Important Account Information from Verizon Wireless, ID: OW0ORPE4SGTST
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 16:59:40 +0100
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 20:13:33 +0200
This suggests automation may be at play. The email carries a file attachment as a ZIP archive, commonly named “Verizon-Wireless-Account-StatusNotification_#######.zip“, such as “Verizon-Wireless-Account-StatusNotification_3518066.zip“. Within the attached archive, is an executable bearing a similar name such as “Verizon-Wireless-Account-Status-Notification-Dec-2011.exe” (SHA1: d4b12df0eb31457ad3d2197e9993f16a1f1a53eb).
While I was writing this article, the spam campaign altered to target Adobe software:
Adobe Systems Incorporated,
At this time, there is limited detection among vendors – we identify it as PWS:Win32/Zbot.gen!Y. Be wary of messages that may appear to be from known entities and use security software to minimize the chance of infection.
— Patrick Nolan, MMPC