A new spam campaign is using fake pizza order confirmations to distribute malware. The message informs the recipient that their order has been received and gives them the option to either pay for it, to the tune of $100 or so, or to cancel it by clicking the provided “Cancel Order Now” button. The scammers are hoping the recipients will panic and click the cancel button. Doing so will lead them to one of several infected websites that will attempt to download malware onto their computer.

The site first uses a script to determine exactly what OS the visitor is running and then downloads the appropriate variant of malware. It recognizes Windows, Mac, iOS for the iPad, iPod Touch, and iPhone, Windows Mobile, WinCE, and more. It also checks to see what browser they have and if they have Flash, Adobe Acrobat, and Javascript. Presumably it is looking for specific programs in order to exploit any security vulnerabilities they may contain.

It’s not yet clear what happens if a recipient actually chooses to pay the bill. Will the scammers get some free money or does the link lead to same malicious website the order cancelation button does?

The scammers do try to keep the messages fresh, using different pizzas and items in the orders and using different restaurant names. However, it’s pretty easy to spot these scam emails. They won’t be addressed to you by name, and most pizza places require payment right away unless you chose to pay in cash. Plus, the pizzerias the fake confirmations come from are fake themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pizza Spam Delivers Malware

The discussion raged on sites such as Slashdot and on forums across the internet. Symantec fanned the flames when they started deleting questions about PIFTS which had been posted to their web forum without explanation. What did they have to hide? To make matters worse, users searching for information on PIFTS found that they were being directed to malicious websites. Brian Krebs of the Washington Post noted:

          Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Symantec finally issued a statement which confirmed what had happened:

          Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

What about the deleted posts? Symantec explained that too:

          There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation.  At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

O LAWD IM CHOKIN ON PIFTS PLZ HALP
OH GOD YOU GOT CHOCOLATE IN MY PIFTS
If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

So, it seems that it was all due to human error; an innocent mistake. PFTS did not perform any malicious activity and the web forum posts were not deleted as part of a corporate cover-up. But, boy, could Symantec have handled this any more badly? Why didn’t they issue a statement sooner? Had they done so, they could have been spared a considerable amount of bad publicity – and spared their users from being lured to malicious websites in a hunt for information which should have been made available by Symantec. And will users really be comforted to know that PFTS could have phoned-home without their knowledge had the executable been signed? Hmmm …

What’s also noteworthy about this incident is the speed with which the malicious websites appeared. If only Symantec had been as fast to respond as the bad guys!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The PIFTS.exe Conspiracy

          Unfortunately (and here’s the human error), the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

While Google fixed the problem quickly and issued a swift apology, it still has many people upset. Having your site labeled as malicious by Google can be very damaging!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google Mistakenly Labels The Entire Internet As Malicious