Incident Response, Malware, TDR

Email promises free pizza, ensnares victims in Asprox botnet instead

Security company Cloudmark recently came upon an email that offers up a free pizza from a recognized and popular international franchise, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

A copy of the fairly authentic looking email was included in a Wednesday post by Andrew Conway, a research analyst at Cloudmark. The message states that Pizza Hut is celebrating its 55th anniversary and the recipient can click a link to get a coupon for a free Personal Pan Pizza in any of its restaurants.

The biggest giveaway to the scam is that Pizza Hut was founded in 1956, making the company 58 years old, Conway noted in the post. Clicking the link for the coupon downloads a ZIP file containing a Windows executable that ensnares recipients in the Asprox botnet, also known as Kuluoz.

Systems that are part of the Asprox botnet – which has been around since 2008 – are used to send spam, including the spam that further spreads the malware, as well commercial spam, such as fake pharmacies, Conway told in a Friday email correspondence.

“There is spyware included – the malware attempts to obtain the credentials for your email account, and any FTP and web servers you may access,” Conway said. “Finally, the malware can install other programs on your computer, including software intended to compromise your bank account or hold your data [for] ransom.”

Asprox has two methods of propagation, directly by trojans in spam emails and in drive-by attacks from compromised websites, Conway said, explaining that the botmasters are deliberately limiting the growth rate so as not to attract takedown attempts.

“So far Cloudmark has blocked more than five million of these messages,” Conway said. “If they are hitting other email services in equal numbers, the total sent is probably in the teens or low tens of millions.”

The Pizza Hut email is convincing in that it does not contain glaring spelling and grammatical errors, has reasonable Pizza Hut branding, and also contains a copyright notice, but it falls a bit short considering the link does not direct to the Pizza Hut website and the deliverable is a ZIP file, which is bad, that contains a .exe file, which is worse, Conway said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.