Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« iTunes/Apple ID Phishing Campaign | Main | No, Dammit, I Am NOT Subscribed »

August 06, 2008

E-Card Malware Lures, Part Umpteen

For the moment, at least, the run of supermarket tabloid and other phony news-related malware email lures appear to be on hiatus. In their place come a raft of messages claiming to have links to electronic greeting cards sent by "somebody," "a friend," or a "flatmate" (to those of us in the States, this last term is quaintly European). The crooks blew the dust off a golden oldie for this campaign.

Here are some of the Subject: lines I've seen come my way:

  • This is for you.
  • Open now for your eCard
  • Greetings from...?
  • You Have An Ecard
  • Your Digital Greeting Card is waiting
  • A greeting for you

The messages are simple, pointing to a variety of freshly-minted domain names that sound like they're right out of the dot-com boom days—containing word combinations such as "PostcardShop", "Lettercard," and "PostcardOnline." Here's a sample message:

Your friend has sent you an Ecard from [removed]Lettercard.com.

To get your Ecard, goto the following link.

http://[removed]Lettercard.com/?e4e35ab2769300aa

(c) 2003-2008 [removed]Lettercard.com.

The copyright line is a touch that adds a sense of respectability to an unwary recipient ("Ooh, they've been in business since 2003...it must be legitimate.").

This is all pretty standard botnet fare. The destination servers are compromised PCs accessed through the fast flux technique, where each traceroute attempt (or click of the link) leads to a different IP address, making it difficult to take down the malware delivery sites.

The earliest e-card malware deliveries I remember came as attachments to email messages. Later, as delivery migrated to compromised servers, many e-card fakes abused the good names of legitimate electronic greeting card companies. The links were either to numeric IP addresses or other compromised web sites (actual addresses hidden in an HTML link). For this latest campaign, the crooks have created their own domains and fast flux network.

Regardless of distribution medium, the allure of receiving a greeting from a secret admirer is the same, olde tyme con game destined to enlist more vulnerable PCs to the botnets.

Posted on August 06, 2008 at 10:00 AM