by RSS Derek Manky  |  Jun 29, 2009  |  Filed in: Security Research

****We have been receiving lots of spam in June with the age-old, eCard social engineering hook. The messages show up with these subject headers:

"You have received an eCard" "You have received a greeting ecard" "You Have Received a Greeting Card"

The bodies are all very simple, one piggybacking on the trusted name '123greetings.com' while the others being more simple instructing the recipient to open the eCard to view. All traced malware variants are related to the ZBot family, or W32/Branvine.A!tr.dldr. The latter downloads Privacy Center (detected by Fortinet as W32/PCenter.A!tr), yet another fake security software (scareware) suite. We first discussed Scareware at the height of its entry surge in September 2008. Ten months later, the spam campaigns still roll in. The campaign used two different attack methods with similar templates, one being the traditional attachment and the other malicious links:

Template 1 Snippet: "Send free ecards from 123greetings.com with your choice of colors, words and music. Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your c computer or take a print.

To view your ecard, open attached zip file"

Template 2 Snippet: "To pick up your eCard, click on the following link (or copy & paste it into your web browser): hxxp://method{removed}.com/ Your card will be aviailable for pick-up beginning for the next 30 days."

Template 3 Snippet: "To pick up your eCard, open attached file We hope you enjoy you eCard."

There are plenty of common red flags to pick up on here: a) A link to a non-greeting card domain. Inspecting domains before following links will help - you can use our free URL lookup utility here: http://www.fortiguardcenter.com/webfiltering/webfiltering.html#urllookup b) Typos - Common with all spam to bypass filtering, also genuine errors c) eCard Attachments. Most, if not all, operating eCard companies do not supply eCard attachments (especially executables!) since they usually use an interactive site.

Can you spot another? To help users follow malicious links, spam mail often contains instructions to "copy & paste" the URL into your web browser. Sometimes, they emphasize this - check out this latest received image (in a spam mail) from Canadian Pharmacy. Typing this into your address bar will only lead you to a fast flux hosted proxy serving up fraudulent pills. Of course, the images are used as an effort to bypass spam detection:

Early this month we saw the closure of 3FN, an ISP taken down by the FTC due to complaints of malicious activity, with the hopes of a second rally for the good guys after McColo's significant impact (reduction of spam) when it went offline in November 2008. Looking at our systems, we have seen no significant change: spam rates are just as high as they were in May 2009, maintaining a steady volume much higher than we saw in December 2008 post McColo. So, what does that mean? Traditional spam is not going away anytime soon. Always be careful following links, and do some quick research on domains ahead of time (ie: use our mentioned tool, or do a quick search using your favorite engine).

by RSS Derek Manky  |  Jun 29, 2009  |  Filed in: Security Research
Tags: