Malicious Spammers Deliver Fake UPS Invoices

Pushdo Botnet Attempts to Trick Recipients Into Downloading Malicious Components From Web, According to Marshal’s TRACE Team

ATLANTA, GA–(EMWNews – July 17, 2008) – Malicious spammers have used fake United Parcel

Service (UPS) invoices to distribute malware as part of the latest social

engineering ploy to fool unsuspecting recipients into downloading malicious

components from the Web. The new ploy, used in malicious spam emails coming

from the Pushdo botnet, claims to be from UPS and asks recipients to print

out a fictitious invoice to claim a package that could not be delivered.

According to security experts from Marshal’s TRACE Team, this latest

piece of malicious spam incorporates several elements designed to make the

message appear authentic and trick recipients into opening an attached

executable file.

“For the unwary or uninitiated, at first glance, the message appears to

come from UPS,” warned Phil Hay, lead threat analyst for Marshal’s TRACE

Team. “The subject line of the message provides a seemingly official

tracking number and the message itself seems sincere. It suggests that UPS

could not deliver a package because the delivery address you provided was

incorrect. The message asks you to print out an invoice and go to the UPS

office to collect the package. However, the purpose of the message is

malicious. If the attachment is opened, a program will be installed that

downloads more malicious components from the Web.”

The message includes a ZIP file attachment called ‘ups_invoice.zip’.

According to Marshal, the Pushdo botnet often uses ZIP archive files as

attachments to try to hide malicious executable files from automatic email

filters. The file inside the ZIP is called ‘ups_invoice.exe’ but displays a

Microsoft Word icon in an attempt to make it appear like a harmless Word

document.

“The message itself is full of mistakes and poor grammar, which gives it

away as illegitimate and malicious,” said Hay. “The subject line misspells

the word ‘packet’ and the message provides no contact address for the

supposed collection of the package. These kinds of errors should trigger

alarm bells with security conscious recipients, even if they have recently

ordered a package to be shipped by UPS.”

The Pushdo botnet (aka Cutwail) is estimated to comprise 125,000 infected

computers and distribute some 16 billion spam messages per day. According

to Marshal’s statistics, Pushdo is currently the fourth largest botnet in

terms of spam volume, attributable for 9.7 percent. Marshal’s TRACE Team

has tracked spam produced by Pushdo since late 2007.

More information and screenshots of the offending message can be found on

Marshal’s TRACE Centre website —

http://www.marshal.com/trace/traceitem.asp?article=714.

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal

security analysts who constantly monitor and respond to Internet security

threats through the TRACE website at www.marshal.com/trace. TRACE services

are provided as part of standard product maintenance that includes updates

to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE

analyzes spam, phishing and Internet security trends and provides frequent

automated updates to Marshal customers. It also provides “Zero Day”

security protection against new email and virus exploits the day they

emerge.

About Marshal

Marshal is a global leader in content security across multiple protocols,

enabling organizations to secure their IT environment, protect against

threats and comply with corporate governance needs. Marshal provides

customers with a complete portfolio of policy-driven email and Internet

solutions that integrate content filtering, compliance, secure messaging

and archiving. Forty percent of the Global Fortune 500 companies use

Marshal security solutions to secure their corporate messaging networks and

Web access against internal abuse and external threats such as viruses,

spam and malicious code. More than 7 million users in over 18,000 companies

worldwide use Marshal solutions to protect their networks, employees,

business assets and corporate reputation and to comply with corporate

governance legislation requirements.

Marshal’s Americas headquarters is in Atlanta, Georgia, with corporate

headquarters in London (UK) and offices in Auckland (New Zealand), Houston

(USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and

Sydney (Australia). More information is available at www.marshal.com.