Pushdo has moved on to yet another blended threats campaign designed to install the Zeus Trojan horse onto user’s PCs. Over the past months Pushdo has conducted a number of different email campaigns, many of which we have previously written about on this blog. This time there is a VISA card theme where the recipient of the spam email is alerted to a possible fraudulent transaction. Users receive an email with one of the following or similar subjects:

possible fraudulent transaction and/or collusion

possible fraudulent transaction has been executed with your VISA card

VISA card 4XXX XXXX XXXX XXXX: possible fraudulent transaction # 29209782000

VISA card 4XXX-XXXX-XXXX-XXXX: possible fraudulent transaction ID 16891657070

The country where the email states your VISA card was used, (Egypt in the above example) changes from email to email. The link in the email does not go to visa.com but to one of over 190 domains hosting the web page below.

The page asks that you download an electronic report for your VISA card. This ‘report’, named cardstatement.exe is the Zeus (Zbot) Trojan horse. This page also contains an IFRAME to audiodrv7.com that, when we loaded the fake VISA page, caused the browser to pop up a download request for the file pdf.pdf.

This was a malicious PDF file that contained exploits for three Adobe Reader vulnerabilities.