Post Feed
Comment Feed

About Me

My MP3 Player

Guns N' Roses - Lies Harry Potter and the Deathly Hallows - (audio book) Story of the Year - Page Avenue Harry Potter and the Prisoner of Azkaban - (audio book)

New Comments

2017 Archives

July All Archives...

Ecard Spam

Friday, July 6th, 2007

I recently received a few particularly nasty spam emails that were masquerading as ecard notifications. Basically when you send an ecard the recipient is emailed saying they have a card and to click on some link to retrieve it. These messages operate the same way, only the url links to some zombie cable/dsl computer and serves some sort of nasty software.


Return-Path: <refn@chilehardware.com>
Received: from router.pogodanet.pl (router.pogodanet.pl [85.14.84.214])
     by joereid.com (*****) with SMTP id l645CkBd011052
     for <joe@evi***rv.com>; Wed, 4 Jul 2007 01:12:47 -0400
Received: from kkgtt.rtkoa ([173.195.226.159]) by router.pogodanet.pl 
     with Microsoft SMTPSVC(6.0.3790.0); Wed, 4 Jul 2007 07:12:43 +0200
Message-ID: <002101c7bdf9$f3984ee0$9fe2c3ad@kkgtt.rtkoa>
From: "netfuncards.com" <refn@chilehardware.com>
To: <joe@evi***rv.com>
Subject: Independence Day Party
Date: Wed, 4 Jul 2007 07:12:43 +0200
MIME-Version: 1.0
Content-Type: text/plain;
     format=flowed;
     charset="Windows-1252";
     reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Antivirus: avast! (VPS 000753-2, 2007-07-03), Outbound message
X-Antivirus-Status: Clean


Hi. Friend has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your 
card's direct www address below while you are connected to the Internet:

http://***.83.87.181/?1d7d41977bc649ea95523893748a

Or copy and paste it into your browser's "Location" box (where Internet 
addresses go).
     


PRIVACY
netfuncards.com honors your privacy. Our home page and Card Pick Up have links to our 
Privacy Policy.

TERMS OF USE
By accessing your card you agree we have no liability. 
If you don't know the person sending the card or don't wish to see the card, 
please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
netfuncards.com

Lets take a second to analyze this email. The first "Received:" header mentions "router.pogodanet.pl"; email doesn't come from routers. This must refer to some little cable/dsl router that his hiding a bunch of PCs behind it. One (or more) of them is probably a zombie. Then check out the "from" header, it mentions netfuncards.com, but the actual email address is something at chilehardware.com.

In the body the first thing you probably notice is the articulate use of the english language, always a dead give away. Then the URL they want you to click on contains just an IP address, not a hostname. I covered up the first number so nobody mistakenly clicks on it, but the IP belongs to a southern California residential Roadrunner customer. They also specifically mention privacy, saying the policy is available on their website, but no links are provided.

Being the curious nerd that I am, of course I followed the link (minus the query string) to see where it goes. I used a program to fetch the source code of the page rather than looking at it in a browser, just in case there was some nasty code in there that my browser would activate. This is what I got:

We are currently testing a new browser feature. If you are not able to view this ecard, 
please <a href="/ecard.exe"%gt;click here</a> to view in its original format.

So it basically is prompting me to download some executable program that will most likely own-up on my computer. Since this kind of thing is always about money, I'm sure that ecard.exe program turns your computer into a zombie (spamming this same email out and serving "ecards" itself) and most likely records everything you do, your passwords, bank and credit card numbers and steals your identity.

This is a great example of how effective social engineering can be. Who doesn't like receiving ecards, nobody! Add to that the fact that it was sent on an actual holiday, though not really a big card sending holiday, I'm sure a lot of people got these spam messages and clicked on the links.

Comments (2) Subscribe

JR
#1 - Jul 7, 2007 at 7:28 AM
You should load up Virtual PC 2007 (now free from MS) and run ecard.exe on it. You can turn off networking so it can't escape from your virtual sandbox. You could also run a program like InCtrl5 or SpyMe Tools to scan the computer before and after and detect exactly what files and reg keys it changed. Sysinternals.com has a tool called Rootkit Revealer which I think you're familar with that might be necessary too.
Joe
#2 - Jul 7, 2007 at 9:09 AM
Yeah, that's something I've been meaning to do for a while. I'd love to see exactly what gets changed and how much damage is really done by these nasty programs. Maybe I'll work on that this week at work while it's still slow...

Make a comment!

Name
Numbers from below

Comment

Email Address

Website URL


Remember me