Fake ImageShack emails lead to Zbot variant

Emails pretending to be registration notifications from the popular free image hosting website ImageShack are hitting inboxes, and are trying to get the users to follow a link to a malicious website where a Zbot variant awaits to be downloaded.

At first glance, they look pretty legitimate, but a second glance at the offered registration link reveals that the target page does not belong to ImageShack.

Another clue that the email might be fake is the provided username and password. Sunbelt‘s Chris Boyd received the email in question and remarks that he would never use the give combination of username and password, even if he had registered with the service.

The offered link belongs to an Australian art gallery whose website was probably compromised, and presents to the user the following request:

The file in question is, of course, the Zbot variant I mentioned in the beginning. Luckily for potential victims, the great majority of security solutions has the ability to detect this particular variant, which has been removed in the meantime.

But, Boyd says that users should still be careful about visiting the site, since “there’s still some iframe activity taking place”. He also advises users to be careful of such emails in the future, because it is likely that criminals will be sending out the same email – albeit with a different malicious link, pointing to different malware and using a different exploit.

When in doubt whether you have signed up for something, it’s better to just delete the email.