Today we’ve got something new for Dropbox users to watch out for: a new spam campaign spreading the Zeus Trojan. The domain dynamooblog.ru caught our eyes Oct 18th, when it triggered one of our data-driven predictive engines that monitors spikes in traffic. Notice how the volume of queries to the site surged from zero to several hundreds in a matter of minutes.
The domain bears a resemblance to our long-time friend @ConradLongmore’s site, blog.dynamoo.com, he confirmed that dynamooblog.ru is not associated with him.
Later that day, Conrad confirmed that the site is associated with a Dropbox spam campaign that leads to Zeus trojan infections. Conrad recently exposed a Pinterest spam campaign, so it is actually rather sweet that the spam operators referenced his blog with the domain used in this Dropbox campaign.
We performed a quick analysis on the involved network entities, which led to other domains of interest, and, we can show them here in a nice graph for our readers to enjoy. Three other domains are using the same fastflux network—consider them part of the same gang.
These domains and associated domains were blocked for OpenDNS customers since the phish/malware campaign first broke out on Oct 18th, so our users can rest assured that they are safe.