Fraud News Flash: Bogus Ad for Zeus-SpyEye Hybrid Trojan published in Underground Forum
On Friday, January 14, 2011, McAfee posted a blog entry titled “Combined Zeus/SpyEye Toolkit Announced”, based on a fraud forum post by “Hardersell”, in which this individual supposedly offers the much-anticipated SpyEye-Zeus hybrid Trojan for sale. Hardersell’s comments were published in an open, low-grade Russian-speaking hacking/carding forum, making its credibility lower than the more prestigious, exclusive, closed Russian-speaking forums. For a screenshot of the original post traced in an open forum, see below, Figures 1 – 3.
Figure1: Original Bogus Announcement posted in Russian-Speaking Fraudster Forum (Part 1 of 3)
Figure 2: Original Bogus Announcement posted in Russian-Speaking Fraudster Forum (Part 2 of 3)
Figure 3: Original Bogus Announcement posted in Russian-Speaking Fraudster Forum (Part 3 of 3)
While McAfee suggests that the advertised hybrid Trojan may be nothing more than a hoax, the blog did manage to draw a flood of comments and create confusion from members of various fraudster forums.
- In a thread showing related chatter in an English-speaking forum, fraudsters discuss whether the announcement is real and conclude the ad for the hybrid Trojan is fake (Figures 4 – 7 below).
- Moreover, the influx of rumors in underground forums elicited a statement from “Harderman,” via an instant-messaging chat, to the effect that the ad for the hybrid Trojan is completely false.
Despite the confusion, it seems that Hardersell may be deliberately attempting to confuse forum members into believing that “Harderman”, aka “Gribodemon,” the real author of SpyEye, is behind the release of the hybrid Trojan offered for sale. As we previously reported, “Harderman”was recently granted the entire Zeus code from the Zeus Trojan author, Slavik.
Based on these findings, we believe strongly the hybrid Trojan, whose future debut was announced in October 2010, has yet to be released.
Figure 4: Thread from English-Speaking Fraudster Forum (Part 1 of 4)
Figure 5: Thread from English-Speaking Fraudster Forum (Part 2 of 4)
Figure 6: Thread from English-Speaking Fraudster Forum (Part 3 of 4)
Figure 7: Thread from English-Speaking Fraudster Forum (Part 4 of 4)
[...] the remainder of this post) — detailed in a Trend Micro blog post — turned out to be a scam. But a little more a week ago, Trend redeemed itself with snapshots and details of SpyZeuS [...]