Fake Best Buy purchase confirmations attempting to spread malware have been circulating for the past week. These messages are simple. They appear with “Best Buy” in the [from] field and they inform the recipient that an order has been placed with Best Buy which needs to be confirmed for pick up. The recipient is then directed toward the attachment which contains a Trojan downloader commonly referred to as Kulzuoz or Zortob. This file is merely a means to infect the user so that more malicious software can be downloaded, thus the profile of downloader. At the time of our analysis this program was pulling down what appears to be software geared toward data theft, although this malware has been used extensively to infect users with FakeAV malware.
The email campaign started on Thanksgiving Day in the U.S., a time when millions of consumers began flocking to the web to take advantage of online holiday deals. These messages are meant to catch any and all unsuspecting users off guard but might be especially effective with those who have actually made purchases at Best Buy recently.
The volume of messages has been quite high, as we have already quarantined nearly 1.5 million of these malware-laden emails. Here is a look at the traffic(number of emails seen inbound) from this campaign over the past 7 days:
The good news for our users is that we had predictive rules in from the onset of this campaign and therefore none of these messages have leaked through to our SecureTide users.