Imageshack spam leads to Zbot infection

Over the weekend, spam started appearing in mailboxes that claimed to be Imageshack registration notification.

That’s great, but I hadn’t registered - and certainly not with that username / password combination. A quick Google for the Forsight domain (pre compromise) reveals it to be an art gallery, so it is unfortunate that either by accident or design the bottom of the spam mail says the following:

Visiting the link in the mail would bring end-users to the following fake “install to continue” message:

Click to Enlarge

Installing the file would land the unsuspecting victim with a Zbot infection, not the best way to spend your weekend. Detections for this particular file are good (39/42 on VirusTotal) – the site owners have apparently removed the executable, but there’s still some iframe activity taking place so it’s probably best to avoid the URL for the time being.

One final thing to note – the “Please update your flash player” graphic the attackers are using? They’re serving up an image from the Coca Cola website.

Click to Enlarge

The text in the box seems to match the overall (continue reading...)