Skip to content

E-Card with Something Special – Malware

July 1, 2007

My birthday was just passed not long ago, so it’s not surprising that some e-card pickup messages arrived in my mailbox. But they (three in total since June) looked … unusual.

The things that set off alarm bells are:

  1. The subject of the message are all the same, “You’ve received a postcard from a family member!”, even from different senders.
  2. The sender names, are, are not the IP addresses that sent out the messages.
  3. The addressses to pick up that e-card are not the same from the sender names, nor its hosts.
  4. No name of your friend or family member is included.
  5. The style of message is the same.

I got such a message in early June — a little bit too early. Today I got two, so this time I just googled these IP address and checked out whether there’s a warning posted. At this moment only two posted, and (where shows the format of fake ecard).

“The interesting part is just how multi-layered the attack is – it uses several different exploits, both technical and social.

It starts by testing to see if Javascript is enabled, and if it’s not, it prompts you to download a file called ecard.exe and run it. If that fails, it tries three different exploits in sequence until it finds one that works, starting with a QuickTime attack, then a WinZip attack, and finally what the ISC calls the “hail Mary” WebViewFolderIcon exploit.

… Perhaps the most dangerous part is that, when SANS ran it through 30 different anti-virus programs, only a quarter of them picked up ecard.exe as a suspect download.” (from The Register)

Despite that I use webmail accounts for most of my internet activities, these fake e-card messages were delivered to my work email address. 😯

EDIT: Continue to receive few. The latest one changed its subject to “You’ve received a postcard from a worshipper!” A worshipper! Give me a break.

Later, got the first one in GMail with a subject line as “You’ve received an ecard from a Neighbour!”

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: