mongoliantreesloth
Member
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
OVERVIEW:
A new fraudulent email claiming to link to an online greeting card is
currently in high circulation. The greeting card is actually a trojan
that attempts to infect the user's computer when they try to view it.
IMPACT:
The trojan may install malware capable of damaging data, allowing
system access to malicious parties, logging keystrokes and/or
monitoring internet usage. Initial reports indicate may utilise
portions of Hacker Defender's[2] code.
MITIGATION:
Delete any emails that appear similar to the description below without
following any links within them.
Online greeting cards, 'eCards' and 'ePostcards' should always be
treated with suspicion, especially if they appear to be from someone
you do not know. Even in the case of messages that appear to be from
someone you do know, you should always verify with that person that it
is actually from them.
Many current email viewers have much stricter policies on web access
than web browsers, and enticing users to follow a link outside an
email and onto the web is a common way for attackers to increase their
likelihood of installing malicious code onto a machine.
System administrators should look for HTTP connections to files
named (or similar to):
april4-67532.html
april6-67532.html
DETAILS:
The Online Greeting Card email is much more sophisticated than the
Valentine's Day eCard trojan from earlier this year[1]. The from
address is randomised with real email addresses, suggesting that
either a collection of email addresses were harvested for the spam
run or that the trojan initiates a spam run from victim machines once
it successfully infects them. Even though the from field appears to be
a real address, it is most certainly not the true origin of the
message.
The subject line appears to follow a simple pattern:
Online Greeting Card Waiting For You [TO_NAME]
where [TO_NAME] is the same as the name in the To: field.
The body of the message follows a simple pattern as well:
Hello, [TO_NAME]! ([TO_EMAIL])
We've noticed that you haven't picked up your greeting card that
[FROM_NAME] ([FROM_EMAIL]) sent to you on DATE.
To view your greeting card, CLICK this pick-up address or COPY
and PASTE into your browser:
© All-Yours Greóting Cards ...ecially in the copyright section at the end.
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
OVERVIEW:
A new fraudulent email claiming to link to an online greeting card is
currently in high circulation. The greeting card is actually a trojan
that attempts to infect the user's computer when they try to view it.
IMPACT:
The trojan may install malware capable of damaging data, allowing
system access to malicious parties, logging keystrokes and/or
monitoring internet usage. Initial reports indicate may utilise
portions of Hacker Defender's[2] code.
MITIGATION:
Delete any emails that appear similar to the description below without
following any links within them.
Online greeting cards, 'eCards' and 'ePostcards' should always be
treated with suspicion, especially if they appear to be from someone
you do not know. Even in the case of messages that appear to be from
someone you do know, you should always verify with that person that it
is actually from them.
Many current email viewers have much stricter policies on web access
than web browsers, and enticing users to follow a link outside an
email and onto the web is a common way for attackers to increase their
likelihood of installing malicious code onto a machine.
System administrators should look for HTTP connections to files
named (or similar to):
april4-67532.html
april6-67532.html
DETAILS:
The Online Greeting Card email is much more sophisticated than the
Valentine's Day eCard trojan from earlier this year[1]. The from
address is randomised with real email addresses, suggesting that
either a collection of email addresses were harvested for the spam
run or that the trojan initiates a spam run from victim machines once
it successfully infects them. Even though the from field appears to be
a real address, it is most certainly not the true origin of the
message.
The subject line appears to follow a simple pattern:
Online Greeting Card Waiting For You [TO_NAME]
where [TO_NAME] is the same as the name in the To: field.
The body of the message follows a simple pattern as well:
Hello, [TO_NAME]! ([TO_EMAIL])
We've noticed that you haven't picked up your greeting card that
[FROM_NAME] ([FROM_EMAIL]) sent to you on DATE.
To view your greeting card, CLICK this pick-up address or COPY
and PASTE into your browser:
© All-Yours Greóting Cards ...ecially in the copyright section at the end.
