Pushdo botnet uses Facebook to spread malicious email attachment

A phony message warns users that their Facebook password has been reset.

Security researchers at M86 Security Labs are warning users of a malicious spam campaign attempting to spread the Pushdo Trojan by targeting Facebook users. 

SearchSecurity.com:

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

Controllers of the Pushdo botnet are sending out phony email messages warning users that their Facebook password has been reset. It tries to lure users into opening an attached file containing a malicious downloader by telling users the attachment contains the new Facebook password.

Facebook has been working to shut down spammers. Last year, the social network won a multimillion judgment against a Canadian man who hacked into the profiles of its members and spammed them with sexually explicit messages. At the time, the company said it hoped the action would deter others from targeting Facebook users. 

Spam, malware:

Massive spam campaign hits Yahoo Groups, LiveJournal: In July, Spammers used automated CAPTCHA-breaking software to set up accounts and use free file storage for links and images. 

3FN.net ISP shutdown interrupts spam campaigns: In June, the shutdown of 3FN.net disrupted the Cutwail Botnet and may have reduced global spam volumes by 15%.

Video: Next generation spam: New threats and new technologies This video examines the evolution of the content security gateway as it evolves beyond just blocking spam and Web filtering.

While traditional email spam messages like the one controlled by the Pushdo botnet continue to be the most lucrative for spammers, some are turning to social networks to conduct more targeted campaigns. The spammers buy and using phished account credentials to use the Facebook accounts to send spam messages to the account holder's friends.

A second spam campaign, purportedly to be coming from the same cybercriminals behind Pushdo, uses the ongoing banking crisis to trick users into clicking a malicious link. The phony email tries to trick victims into believing the message comes from the Federal Deposit Insurance Corporation (FDIC). It claims that the victim's bank has been listed as a failed bank and urges recipients to visit a website, which hosts malicious executable files.

The malicious website contains both PDF and Word documents designed to trick users into downloading the ZBot executable, Gavin Neale, security researcher at M86, wrote in the company blog.

"Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file," Neale wrote.

According to M86's spam statistics, Pushdo represented about 29.8 of spam messages received in the vendor's spam traps. It was the second largest botnet behind Rustock, which was contained in about 38% of spam messages caught in the vendor's spam traps. 

Pushdo hasn't changed much over the last several years. It follows many of the same themes associated with the Storm botnet, which uses holidays and news events to dupe people into opening infecting emails or clicking on a malicious link. Recent campaigns used Michael Jackson's death.

Most spam messages continue to peddle products rather than push out malware and phishing attacks. According to M86 statistics, spam messages touting healthcare products, such as pharmaceuticals and products, such as watches, software and stationary, made up about 85% of spam messages. Malware and phishing attacks made up 5% of spam.

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close