SOURCE: Marshal

July 17, 2008 09:20 ET

Malicious Spammers Deliver Fake UPS Invoices

Pushdo Botnet Attempts to Trick Recipients Into Downloading Malicious Components From Web, According to Marshal's TRACE Team

ATLANTA, GA--(Marketwire - July 17, 2008) - Malicious spammers have used fake United Parcel Service (UPS) invoices to distribute malware as part of the latest social engineering ploy to fool unsuspecting recipients into downloading malicious components from the Web. The new ploy, used in malicious spam emails coming from the Pushdo botnet, claims to be from UPS and asks recipients to print out a fictitious invoice to claim a package that could not be delivered.

According to security experts from Marshal's TRACE Team, this latest piece of malicious spam incorporates several elements designed to make the message appear authentic and trick recipients into opening an attached executable file.

"For the unwary or uninitiated, at first glance, the message appears to come from UPS," warned Phil Hay, lead threat analyst for Marshal's TRACE Team. "The subject line of the message provides a seemingly official tracking number and the message itself seems sincere. It suggests that UPS could not deliver a package because the delivery address you provided was incorrect. The message asks you to print out an invoice and go to the UPS office to collect the package. However, the purpose of the message is malicious. If the attachment is opened, a program will be installed that downloads more malicious components from the Web."

The message includes a ZIP file attachment called 'ups_invoice.zip'. According to Marshal, the Pushdo botnet often uses ZIP archive files as attachments to try to hide malicious executable files from automatic email filters. The file inside the ZIP is called 'ups_invoice.exe' but displays a Microsoft Word icon in an attempt to make it appear like a harmless Word document.

"The message itself is full of mistakes and poor grammar, which gives it away as illegitimate and malicious," said Hay. "The subject line misspells the word 'packet' and the message provides no contact address for the supposed collection of the package. These kinds of errors should trigger alarm bells with security conscious recipients, even if they have recently ordered a package to be shipped by UPS."

The Pushdo botnet (aka Cutwail) is estimated to comprise 125,000 infected computers and distribute some 16 billion spam messages per day. According to Marshal's statistics, Pushdo is currently the fourth largest botnet in terms of spam volume, attributable for 9.7 percent. Marshal's TRACE Team has tracked spam produced by Pushdo since late 2007.

More information and screenshots of the offending message can be found on Marshal's TRACE Centre website -- http://www.marshal.com/trace/traceitem.asp?article=714.

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.

About Marshal

Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal's Americas headquarters is in Atlanta, Georgia, with corporate headquarters in London (UK) and offices in Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at www.marshal.com.

Contact Information