UPS, E-Tickets and More

Two weeks ago we reported on the UPS spam being sent by the Pushdo botnet. Well since then there have been several other variations on this theme. The botnet is now also sending spam with a contract theme, an E-ticket theme and Customs declaration theme. All of these contain a zip file attachment containing an executable file.
Some of the subject lines for each type are:

Contract:

Permit for retirement

Record in debit of account

Rent contract

Your new labour contract

Contract of retirement

Contract of order fulfillment

Contract of settlements

Open an account

E-Ticket:

Your flight ticket

Online order from airplane ticket N4861478730

Your airplane ticket

E-ticket #4821408027

Customs:

Parcel requires declaration

Customs, please read

Your parcel is at the customs office

Customs – We have received a parcel for you

The E-ticket spam pretends to be sent from a number of different airlines.

Emails using this kind of social engineering ploy can often convince people to open the attachment, especially if they are expecting some kind of related email such as a job contract or electronic ticket.

The executable inside the zip attachment has the same icon as a MS Excel file. Running this will install XP Security Center, a rouge anti-spyware program. These programs pretend to scan for spyware and display fake results. The user is then asked to pay to register the program in order to have it remove the spyware it claims to have found.

The Pushdo botnet is still also sending the Fake UPS spam. MailMarshal customers are protected from all of these with SpamCensor 257