Pizza Ploy Makes the Rounds
This isn't the newest of campaigns as we first began seeing it a couple of weeks ago. However, the same ruse is being recycled today and it is just unique enough that it made me want to take a closer look. As is often the case these are arriving in our filters aimed as users' inboxes. So today, we've seen just under 1 million pieces coming in at a rate of 1500 per minute. The emails pretend to be a receipt from a pizza place from which the recipient apparently made a fairly large order. The actual order and final cost varied from email to email, but the format remained the same.
Towards the end of the order was this line "If you haven't made the order and it's a fraud case, please follow the link and cancel the order." Most likely one would definitely agree that this "is a fraud case" and go ahead to click the "Cancel Order Now" link.
Out of the million or so emails we've seen of these, the "Cancel Order Now" links are sharing references to 40 different domains. All of which host a page that displays the heading "WAIT PLEASE" in bold letters followed by "Waiting..." below. Beneath the surface though, the page is running three different scripts attempting to download and run another script by the name of "js.js" from three different places, all of these do the same thing and is done simply for redundancy in case any of the three sites go down. The "js.js" script pulls down several files from the IP 22.214.171.124 which is located in Chicago, IL. All of these belong to the SpyEye family. Among the ones pulled down is a Pdf exploit as well as a Java exploit. Once these do their thing and weasel their way into the newly infected system, a myriad of further downloads and communications take place, including a couple of components that make encrypted POSTs to 126.96.36.199 in France.
SpyEye became somewhat infamous in the underground economy when it appeared on the scene three years or so ago and went against then front runner Zeus. Both of these were being sold as automated malware toolkits on underground forums. It seemed that the authors of these toolkits were in sort of a competition against one another until the author of Zeus gave in and sold his source code to the SpyEye author who then incorporated it into his kit. Zeus is still available for purchase, but it has been replicated and reused by many different groups, especially since the code was released. Therefore there are many different unsupported versions going around. SpyEye, however, in its current form is available at a cost of around upwards of $10,000 US. This version is specifically customized and supported by the author. The cost of the kit often comes with complete support with a year's license where the author will answer any questions to help users get it off the ground, and help to repack its payload into new undetected variants as many times as necessary for the length of the license. This just goes to illustrate the professionalism that goes on on both sides of the coin.
Don't worry though, AppRiver is taking care of this one for you. All known variants are currently blocked.