Asprox botnet uses free pizza as phishing bait
Spam emails promising free pizza are being used to entice users to click on a link contained within the email, as shown in Figure A. Unfortunately the only free item provided is a.zip file that adds the victim PC to the Asprox botnet.
The reason given for the free pizza is ostensibly to celebrate Pizza Hut’s 55th anniversary. This is a factual error; Pizza Hut is actually 58 years old. Aside from the anniversary error, the spam email is a convincing facsimile of a Pizza Hut email.
Mousing over the link in the email shows a domain name that is similar, but not quite the same as the genuine Pizza Hut domain. CloudMark state in a blog post that the user should “make sure that the URL goes to https://pizzahut.com/ and not https://pizzahut.com.[some random hacked domain].cn/”.
If the user follows the link they are led to a malicious site that downloads a .zip file. The .zip file contains a Windows executable that will add the PC to the Asprox botnet. The malware will also search a victim PC to check for login credentials to email accounts. Worse, it can download other malware (including ransomware), with the aim of conducting fraudulent activities by stealing banking login credentials.
Asprox (also known as Kuluoz) has been present since around 2008. The Asprox botnet spreads via spam email containing infected attachments or links to malicious sites. It can also spread via direct injection SQL attacks on websites. Once a website is compromised it can be used to conduct attacks on other hosts.
The Asprox campaign has tended to run in a growth and contraction style; this appears to be a deliberate tactic. If the growth rate is too fast, security companies step up efforts to contain the campaign. By limiting the growth, the attackers can fly under the security community radar and operate for extended periods of time.
Phishing emails such as this one are a common occurrence, and the realism of this particular email is proving to be very effective at tricking users. Many users find this email in their spam folder, but move it into their Inbox and open it. This highlights the need to prevent spam email from arriving in the user Inbox in the first place.