An email campaign that’s spreading the Zeus banking trojan is using a new tactic: making use of compromised .edu domains.
“Why is delivering malware from a university domain such an interesting tactic? Most universities can be trusted to send legitimate emails, so their IP addresses don’t make it onto vendor blacklists,” explained Ronnie Tokazowski at PhishMe, in a blog. “And universities typically have faster Internet to accommodate the large number of students accessing the web, streaming Netflix and gaming online.”
Tokazowski said that PhishMe became aware of the campaign when a raft of suspicious emails pointed to a new, larger-scale attack. The .edu address stuck out amid the rest of the phishing traffic.
The university used in this wave of attacks currently has between 25,000-30,000 enrolled students, he added.
“Lots of bandwidth from a trustworthy source gives attackers an appealing platform to use to deliver malware,” said Tokazowski. “In this case, the attackers may not have directly attacked the university, but could have compromised a system which just so happened to reside at the university.
For this attack, attackers used a zip file which contained an executable — not a new technique by any means. For indicators of compromise, an enterprise can search for traffic going to the 155 IP address, emails based off of the subject, or emails coming from the Hotmail account, according to the analysis.