« Trapped in an Escher Print | Main | Another "Drive-By" Malware Infection Plot »

February 15, 2007

It seems as though every event or holiday that triggers the sending of personal greetings (especially cards and gifts) brings out the crackers who can't wait to trick you into loading all kinds of malware on your PC. St. Valentine's Day is perhaps the most pernicious because it plays on the notion that everyone fantasizes about having a secret admirer—not a stalker, per se, but someone who is too shy to come forth with his or her adoration declaration.

And so, upon receiving an email claiming to be a Valentine greeting from an unnamed admirer, recipients go love crazy to click on attachments or links that might look legitimate.

A tricky one (actually two differently-titled and originated, but otherwise identical messages) landed here today. Perhaps they were a day late for Valentine's Day, but I'm sure that won't stop the lovelorn from falling for this guy's trick. The message claims to come from American Greetings, a real company that has been making greeting cards since 1904. The two titles read:

Subject: I sent you an eCard from AmericanGreetings. Happy Valentine's Day !
Subject: Valentine's Day eCard !

The links that the recipient sees in the HTML email point to americangreetings.com, the real company's site (and, yes, they offer ecards). But the actual link address is to a domain that inserts one character in the name, and it is a .net domain. The real americangreetings.com domain was created in January of 1996; the lookalike domain was created waaaay back on Monday.

I snatched the contents of the phony page without using a browser, allowing me to see what the con is. All visitors get a message saying that they don't have the latest Flash Player installed, and they should click to download the latest. That's where the real trouble begins, especially for users of unpatched and unprotected Windows PCs, because the download isn't Flash, but a program that will soon take over your PC. Happy Bot's Day!

Our con artist took one extra step that has been used in the past (perhaps by the same jerk). Visiting the phony page sets a browser cookie that indicated you've visited the page. If you follow the link in the email message a second time, the phony page reads the cookie that shows you've already been there, and redirects you to the real americangreetings.com web site (hold your ears, or turn down your computer's sound before visiting—ugh!). You'll have a tough time finding the ecard that you're being notified about, because it doesn't exist.

If you're fortunate enough to receive a variety of genuine Valentine's Day (or Christmas, New Years, Father's Day, or Cow Appreciation Day) email greetings, it may be difficult to distinguish the fake from the legitimate. Don't be so fast with that mouse button. Your computer may not be around for the next holiday.