Customers of security firm Trustwave are being targeted by a phishing campaign that masquerades as a PCI DSS compliance scan, the company has warned.
The company said the phishers had copied the template of a real Trustwave scan notification, using it to serve Blackhole Exploit Kit sites targeting common Java, Flash and Reader exploits to infect victims with the Cutwail bot.
As Trustwave notes, Cutwail has been used in recent weeks to target brands such as Facebook, AT&T, Verizon and UPS - pretty standard targets for any phishing gang - although diversifying to specialist security vendors is an interesting development.
Trustwave hasn't indicated how it detected the emails and what portion of its customer base might have received it, but the obvious target is the retail sector that would carry out PCI scans. A spokesperson said it was the first time the company had been targeted.
The main purpose of Cutwail is to recuit more clients for its spam system, but once a system has been compromised in principle other forms of malware could be installed at some point.
"This type of campaign is vintage Cutwail, we see variations of this daily. The timing is uncanny; yesterday we released our annual Global Security Report which highlighted Cutwail as a major distributor of malicious spam," said Trustwave.
The clever part of the campaign is that phishing once directed against consumers is now being wielded to get behind the defence of large organisations where, paradoxically, its turned out to be hard to defend against.
Assuming the email gets through, the Trustwave phish looks highly convincing for an admin already expecting to receive such notifications; only the lack of a target name betrays it.
"These realistic-looking malicious spam campaigns are a major threat. Organizations should be looking at multiple defensive layers to counteract this threat, including secure email gateways, secure web gateways, anti-virus, and last but not least, user education," said Trustwave.