The botnet's masterminds are hoping to take over a lot of devices

Dec 2, 2011 12:49 GMT  ·  By

Security experts noticed that the botnet known as Pushdo or Cutwail, that’s been making rounds since 2007, is now launching a spam campaign in search of new devices it can infect.

Airline ticket orders, ACH alerts, Facebook notifications or even emails that claim to represent scanned documents can actually hide malicious links that redirect users to malware hosted on various web locations, reports M86 Security Labs.

The most dangerous variant is the one that perfectly replicates a Facebook friend request. The email only contains the name of a user and two buttons, Confirm Friend Request and See all Requests. When one of them is pressed, the victim is taken to a rogue website that hosts malicious code.

The phony messages that claim an airplane ticket was purchased using the recipient’s credit card are also utilized in this spam campaign. Again, when the More details link is clicked, the unsuspecting user is taken to another malevolent site.

Unfortunately, the number of locations is very large and security solutions providers have a hard time making sure their products block all of them. In some cases, the sites may even be legitimate, but forcefully taken over by the cybercriminals and plagued with the same pieces of malware.

The ACH messages are not new and hopefully Internet users know by now that they should be avoided, but the emails that pretend to represent scanned documents could be a real problem, especially in office environments.

Emails that seem to be coming from co-workers, allegedly consisting of the image created by a device from inside the office building should be treated with the highest suspicion, particularly since the email address it comes from can be easily spoofed to make it look genuine.

The most curious thing about this spamming operation is that none of the emails contains attachments, instead, they all contain a link that points to a malware infested site.