RSA’s SecurID token users have recently been targeted with fake emails supposedly coming from the US National Security Agency urging them to update their token code (click on the screenshot to enlarge it):



The address from which the emails are sent has been spoofed and says “protection@nsa.security.gov”, but the offered malicious links take the victim to the national-security-agency.com domain, which according to Cyveillance, has been registered only the day before the spam run was started.

“A critical vulnerability has been discovered in a certain types of our token devices,” warns the email, counting on the fact that the user is already aware of the RSA hack executed earlier this year and its implications for the security of the company’s SecurID tokens.

The authors of the email also appropriated NSA and CSS logo in order to give an appearance of legitimacy to the warning. Fortunately, they didn’t pay a lot of attention to the construction of the text itself and a couple of spelling mistakes can be easily spotted by alert users.

Cyveillance doesn’t say explicitly what the “security token update” offered for download is, but it is likely to be a malicious executable.

UPDATE: Appriver’s Troy Gill says that the malware in question is a variant of the Zeus Trojan: