Email message looks genuine, save for a small snag

Oct 30, 2014 00:55 GMT  ·  By

Cybercriminals operating the Asprox/Kuluz botnet try to replenish the number of infected computers by baiting potential victims with the promise of a free coupon that can be used in any Pizza Hut restaurant to get a free meal.

Many would think that they would not fall for the “free coupon” lure, but in this campaign the email looks genuine and could fool even the more suspicious users.

Researchers at Cloudmark identified the new campaign on Tuesday and after analyzing the payload, they determined that it was an effort to expand the Asprox botnet, also known as Kuluoz.

A simple fact check should reveal the fraud

The offer of the free Pizza Hut coupon comes as a promotion from the restaurant celebrating its 55th anniversary; but as Cloudmark noticed, the restaurant was founded in 1956, making it 58 years old, a fact that is not known or verified by the potential victims.

This is actually one of the few clues that indicate that the offer in the email is not to be trusted, because all other elements of the message do not betray the deceit; there is even a deadline for claiming the voucher, set for November 5.

After clicking on the provided link, “you do not get a coupon for free pizza – you get a .zip file containing a Windows executable which will make you part of a malicious botnet called Asprox or Kuluoz,” Andrew Conway from Cloudmark writes in a blog post.

Asprox bot number changes constantly

The botnet has been around since 2008, constantly modifying its size. It is used for all types of nefarious activities, from distributing spam to spreading Trojans and carrying out click-fraud activities.

It is also leveraged to scan the Internet for web servers vulnerable to SQL injection attacks. These, in turn, are used to infect other workstations, ensuring the Asprox operators a vast network of computers at their disposal.

“Everybody wants to believe in free pizza. We are seeing an unusually high number of people taking this email out of their spam folders. Users are more than four times more likely to take this out of their spam folder than the largest recent malware spam campaign which claimed to be a notice to appear in court,” Conway writes.

However, users should be more suspicious of unsolicited emails, especially if they promise free stuff. A simple way to make sure they land on the right web page is to check the web address, which, in the case of Pizza Hut, should be http://pizzahut.com/, the researcher advises.