Today we’ve got something new for Dropbox users to watch out for: a new spam campaign spreading the Zeus Trojan. The domain dynamooblog.ru caught our eyes Oct 18th, when it triggered one of our data-driven predictive engines that monitors spikes in traffic. Notice how the volume of queries to the site surged from zero to several hundreds in a matter of minutes.  

 

Screen Shot 2013-10-21 at 10.21.59 AM

The domain bears a resemblance to our long-time friend @ConradLongmore’s site, blog.dynamoo.com, he confirmed that dynamooblog.ru is not associated with him.

dynamooblog-tweets (1)

 

Later that day, Conrad confirmed that the site is associated with a Dropbox spam campaign that leads to Zeus trojan infections. Conrad recently exposed a Pinterest spam campaign, so it is actually rather sweet that the spam operators referenced his blog with the domain used in this Dropbox campaign.  

dropbox2

We performed a quick analysis on the involved network entities, which led to other domains of interest, and, we can show them here in a nice  graph for our readers to enjoy. Three other domains are using the same fastflux network—consider them part of the same gang. 

 Screen Shot 2013-10-21 at 2.36.36 PM

 

These domains and associated domains were blocked for OpenDNS customers since the phish/malware campaign first broke out on Oct 18th, so our users can rest assured that they are safe.

 

This post is categorized in: