Pushdo Distributing Malicious VISA Statements

Bradley Anstis, 15/12/2009, posted in "Analysis"

Bradley Anstis is Director of Technology Strategy at M86 Security. Bradley has been with M86 Security (formerly Marshal) since early 2004. He re-established Marshal's R&D centre following the management buy-out from NetIQ. As VP of Technology Strategy he is responsible for the development and improvement of M86 Security solutions, ensuring that M86 Security keeps ahead of emerging security trends and market requirements. Bradley is a 20-year veteran of the IT industry and previously held technical management positions with Protocom Development Systems and Citrix. ...less info

Pushdo has moved on to yet another blended threats campaign designed to install the Zeus Trojan horse onto user’s PCs. Over the past months Pushdo has conducted a number of different email campaigns, many of which we have previously written about on this blog. This time there is a VISA card theme where the recipient of the spam email is alerted to a possible fraudulent transaction. Users receive an email with one of the following or similar subjects:

possible fraudulent transaction and/or collusion

possible fraudulent transaction has been executed with your VISA card

VISA card 4XXX XXXX XXXX XXXX: possible fraudulent transaction # 29209782000

VISA card 4XXX-XXXX-XXXX-XXXX: possible fraudulent transaction ID 16891657070

The country where the email states your VISA card was used, (Egypt in the above example) changes from email to email. The link in the email does not go to visa.com but to one of over 190 domains hosting the web page below.

The page asks that you download an electronic report for your VISA card. This ‘report’, named cardstatement.exe is the Zeus (Zbot) Trojan horse. This page also contains an IFRAME to audiodrv7.com that, when we loaded the fake VISA page, caused the browser to pop up a download request for the file pdf.pdf.