Zbot Social Engineering

Published: 2010-05-02
Last Updated: 2010-05-02 20:59:57 UTC
by Mari Nichols (Version: 1)
9 comment(s)

Have you updated your awareness program lately?  A sample of the new email used to social engineer the new Zbot variance, crossed my desk recently and prompted me to wonder if  our security awareness had a variance to include this type of attack?  Do your users know that no one will send a password over clear text?  Do your users know the difference between plain text and encrypted text?

The tactic being used is skillful and easy to fall prey to.  Are your users "aware" of this method?


Dear Prey,

Your account has been deactivated for whatever reason and requires you to download and execute the following file.  The password for the file is 12345.

Thank you for your prompt attention to this Zbot social engineering email! 

Reputable Company


Mari Nichols

Handler on Duty

9 comment(s)


It doesnt seem to matter how many time one warns users - at some time they will fall prey to skillful social engineering and blindly follow instructions, especially if it superficially appears to come from a reputable or expected source.

The efforts to educate users is a lost cause. The industry would be better off employing its time to ensure that users who do fall for socially engineered scams, drive by downloads, malicious pdf or any of the myriad of other exploits out there are inherently protected against themselves by the design of the software and underlying OS without having to become a security expert or having to install and maintain a library of third party software they they neither understand nor have time to learn and configure.

Has the security community become too comfortable in the climate of blame the user ?

Its all to easy to pass the buck onto the end user, and yes I am as guilty as the next man, but perhaps we need stop for a moment and reappraise the whole issue.

It is going to take a gifted engineer to come up with something which allows the kind of freedom we enjoy on our PC, while providing us with the ability to perform secure & verifiable transactions.

I think that if we had a distinctly separate (maybe virtualised) environment for each aspect of computing (1) financial and other personal business (2) social (3) entertainment, this would make security easier to manage. This can be done while still being very user friendly.
I also like WOT with Mozilla Firefox. It warned me that something that looked too good to be true was at the http://www.msfn.org/ newsgroups where somebody wanted to know all the 9x machines out there and sell them something for big $$$. I love how it gave a screen that showed me the rating was all red and I knew to get out of there.
I will have to check my history to submit the user to the proper authorities.
"Do your users know that no one will send a password over clear text?"

It would be nice if this were the case. There are still online services where your initial password is still emailed to you in clear text. Sometimes this is even a password you have typed in yourself (Which makes a good case for not using the same password across services, I might add).

The problem this presents is how do we educate our users properly, when they receive legitimate emails with clear-text passwords?
"Do your users know that no one will send a password over clear text?"

If that would be the only problem - During my study, my e-mail address was similar to one of the technicians. Therefore I received passwords of school systems, close documents, different user details etc. When I requested the sender "Why didn't you check the receivers address?" none realised that their behavior could (and in different environment definitely 'is' dangerous). Since my study I realised you have to educate the users again and again. I'm working now in a environment with a small user group, where it is possible to do that. However, how do you deal with that in bigger enterprises?
I actually use a financial website that has emailed my password in clear - several times ... I am banging my head on the table while writing this!

In general though, most users that I have been in contact with, that's quite a few, are quite vigilant when it comes to do something on a site they haven't very recently requested something from or had problems with. The exception is kids.

"Do your users know that no one will send a password over clear text?"

At $WORK, our customers regularly send us AES-256 encrypted ZIP files as email attachments -- with the password in the cleartext body of the email.

Talk about people unclear on the concept.
It reminds me of how people will paste login passwords underneath their keyboard or computer or the back of the computer monitor or side or back of computer. People should realize that this is no better than having no security at all and perhaps worse because a thief might be more interested if something is password protected and then easily accessible. Please people consider carrying an encrypted flash drive with you of your passwords that you value as highly as your wallet or even more highly to help prevent it from being lost.
Its not just the users, its the administrators. I've seen plenty of "legitimate" emails sent out with passwords in them.

I think the best approach to hinder these social engineering attempts is to use email content filtering to quarantine any attached files that can't be scanned.

Diary Archives