An email scam hitting inboxes across the globe is promoting a free dinner at one of the world’s largest fast-food chains. The catch is that you need to print the attached coupon, which is actually an executable for a well-established family of Malware.
Millions of people across the globe will head to McDonald’s today. Given the eatery’s popularity, some might be tempted to take advantage of an offer circulating via email. The message appears with the subject, “You don’t need to pay for your helpings this day”, and promises a free dinner on June 27.
“McDonalds invites you to The Free Dinner Day which will take place on 27 June, 2011, in every cafe of ours,” the randomly delivered message explains.
According to the scam, the day’s free treats include Big N’ Tasty with Cheese, Chicken Selects Premium Breast Strips, Premium Caesar Salad, Apple Dippers, and McCafe Mocha Frappe.
“Print the invitation card attached to the letter and show it at the cash desk of any of our restaurants. Every manager will gladly take your card and issue you a tasty dish of Free Day. And remember! Free Day is a whole five free dishes! Thank you for your credence. We really appreciate it,” the message concludes.
The wording of the email is mostly European, using promotional terms that would be rare, if not completely out of place for a U.S. promotion. Not to mention, the brand is spelled incorrectly. However, the attachment itself is the real problem. It’s Malware. More to the point, it’s a variant of the Bredolab family of Malware.
The Bredolab botnet was reported to have pushed nearly 3.6 billion malicious emails a month at its peak. The Malware spread via email attachments or links found on social networks. The most common method of infection however, is email.
Scams promoting UPS or other shipping company deliveries and status updates, Facebook password resets, Western Union deliveries, and tax information, are all hallmarks of Bredolab. Now free food can be added to the list.
Bredolab itself is a gateway, as once it is installed, it will download other Malware to the infected system. Sometimes the additional Malware consists of Rogue anti-Virus applications. Yet, it is also known to download other families of Malware, such as Zeus, Koobface, Rustock, Waledac, Sirzbi, and more.
Bredolab was partially dismantled in November 2010. The takedown involved Dutch law enforcement, who seized control of 143 command and control servers used by the botnet. The Dutch police’s actions were successful, as the botnet was crippled.
However, it didn’t die completely. Two command and control servers remained, one in Russia and another in Kazakhstan. These remaining servers allowed the botnet to live on. According to AppRiver’s Threat Report for June 2011, five variants of the Bredolab Malware made it in to the top 20 list for threats observed in May, four of them in the top ten.
Scams like the one featuring McDonald’s are just one of the many ways criminals will spread their malicious wares.
In this case, the common adage that there is no such thing as a free lunch (or dinner for that matter) will protect you from this scam.
Otherwise, when a random email appears offering something that is too good to be true, ignore it.
The next page contains an image of the scam, including the junk text at the bottom used to fool email filters. At the time this story wen't live, there were 8 security vendors detecting the variant of Bredolab being delivered.
A VirusTotal report is here.