Here in TRACElabs, our spam traps are able to classify spam emails based on the spambot sender. One of the most established botnets we have been observing is Pushdo. This botnet sends a wide variety of spam and is particularly active in distributing malicious email. Themes include scams, phishing, social networking, fake invoice and "Valentine's Day" email. In this blog, we list some of the more note-worthy spam themes that Pushdo has sent over the past weeks.
Phishing
Pushdo is currently one of the major botnets responsible for sending Phishing spam. For the past few weeks, it has been targeting Paypal, USBank and Fifth Third Bank customers to lure users into opening links from spam and logging on to a legitimate looking websites. Here are a few samples of phishing email we have received from Pushdo:
Fifth Third Bank Phishing Email
US Bank Phishing
PayPal Phishing
More recently, a Bank Of America spam attack was caught by our spam traps - again sent by Pushdo. The email tells you that the automatic installation of a Bank of America certificate failed and needs manual installation. Opening the link from the message body will open a website that provides an "instruction video" on how to install the "certificate". Of course, it needs "Adobeflashplayer.exe" to view it. But please be wary, the executable file is a password stealing Trojan horse.
Fake Bank of America website
Social Networking
Social networking website brands like Classmates and Facebook are also used by Pushdo. Its modus operandi is to send you a fake video invitation. Upon opening the URL link the website will require you to download a fake video codec or flash version which, again, is actually a Trojan Horse.
Targeting Classmates
Targeting Facebook
Malicious Attachments
Pushdo is one of the few botnets that regularly distibutes spam with malicious attachments. Themes vary, but recent themes include fake invoices and airline ticket confirmations. The email usually asks you to open a ZIP-compressed attachment for you to print. The .ZIP attachment contains a password stealing Trojan Horse that hides its appearance by using a Microsoft Excel icon.
Here are a couple of sample emails from our spam traps:
Using Delta Air Line theme
Using United Postal Service theme
Scams
Our spam traps also receive scam emails offering part-time and remote employment. Pushdo uses variations of subject lines like:
- Experience employment: Manager (Remote, part-time vacancy; 2500 USD/month)
- Experience long-term employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
- Part time Manager (Remote vacancy; 2500 USD/month)
- Newly opening Accountant (Remote, part-time vacancy; 2500 USD/month)
- Experience employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
Valentine's Day Theme
And lastly, approximately 20% of the spam Pushdo currently sends is still using a Valentine's Day theme. At least for this botnet, everyday is Valentine's day.
The Pushdo botnet, then, has many strings to its bow, which probably reflects its multiple customers. While it is not the biggest producer of spam, its activity in distributing malicious spam and phishing email ensures that we at TRACE watch it closely.
