Over the weekend, spam started appearing in mailboxes that claimed to be Imageshack registration notification.
That’s great, but I hadn’t registered – and certainly not with that username / password combination. A quick Google for the Forsight domain (pre compromise) reveals it to be an art gallery, so it is unfortunate that either by accident or design the bottom of the spam mail says the following:
Visiting the link in the mail would bring end-users to the following fake “install to continue” message:
Click to Enlarge
Installing the file would land the unsuspecting victim with a Zbot infection, not the best way to spend your weekend. Detections for this particular file are good (39/42 on VirusTotal) – the site owners have apparently removed the executable, but there’s still some iframe activity taking place so it’s probably best to avoid the URL for the time being.
One final thing to note – the “Please update your flash player” graphic the attackers are using? They’re serving up an image from the Coca Cola website.
Click to Enlarge
The text in the box seems to match the overall stylings of the Coca Cola website – it’s unlikely they’ve been compromised and had this graphic placed there, but we’ve reached out for clarification anyway and will update should we hear anything back.
We detect this file as Trojan.Win32.Generic!BT. While coverage is good for that particular file across most AV products, there’s a good chance we’ll see updated “Imageshack” mails going out with fresh links, files and exploits so please: if you don’t remember signing up to something, don’t let curiosity get the better of you and simply delete the email.
Christopher Boyd