Starting on October 28, we saw a new hook used to try and trick users into installing a Trojan on their computer – Free Pizza. Fans of Robert Heinlein will be familiar with the acronym TANSTAAFL – There Ain’t No Such Thing As A Free Lunch. In this case TANSTAAFPE – There Ain’t No Such Thing As A Free Pizza, Either.
Today we are celebrating our 55th anniversary and we want you to share this celebration with us - you may get a free pizza in any of our restaurants.
Pizza Hut was actually founded in 1956, which makes them 58 years old, not 55. Of course, if you click on the link, you do not get a coupon for free pizza – you get a .zip file containing a Windows executable which will make you part of a malicious botnet called Asprox or Kuluoz. This botnet has been around since 2008. It goes through sudden bursts of growth from time to time, and then cuts back in size, perhaps to avoid countermeasures from the security community.
This attack appears to be more credible than the typical package delivery or invoice spam used to distribute malware. Everybody wants to believe in free pizza. We are seeing an unusually high number of people taking this email out of their spam folders. Users are more than four times more likely to take this out of their spam folder than the largest recent malware spam campaign which claimed to be a notice to appear in court.
Though the attack is low volume at the moment, it’s quite possible it may grow. Asprox infects both workstations (using Trojans), and web servers (using SQL injection attacks). By using infected workstations to probe for vulnerable web servers and infected servers to deliver malware to workstations the Asprox botnet has been capable of explosive growth in the past. In June 2010 the number of infected web servers grew by a factor of five in a single day.
The bottom line is that users should not click on any links in unsolicited email, especially if it is already in your spam folder. Free pizza may seem a lot more credible than Nigerian gold, but they are both dangerous scams. If you are tempted to click on a link (because who can turn down free pizza), hover the mouse over it first, and make sure that the URL goes to http://pizzahut.com/ and not http://pizzahut.com.[some random hacked domain].cn .