IRS Scam Now Uses Drive-by Exploit

Since September this year, the Pushdo botnet has favored the IRS (Internal Revenue Service) scam campaign. This campaign is merely one of many that Pushdo has been using to distribute the Zbot executable. Today, we have observed an IRS scam campaign with a new twist - the links point to a webpage hosting a PDF drive-by exploit. But the payload is the same old stuff, the exploit downloads the password-stealing Zbot Trojan.

MailMarshal customers are already protected from this spam campaign with SpamCensor 387.