Thursday, September 21, 2006

eCard Scam

Hi folks,

For the last couple of months, I've been following a nifty eCard scam. It goes like this ...

You're sitting at work, and you get an eCard in the mail. It's from a secret admirer, and the card is from a major, and reputable eCard supplier, so you think it must be safe, and click the link. You view your card, but it doesn't really tell you who it was from, so you just forget about it, and get on with life. You've been rootkitted!

That's a slight exaggeration, because if you've been keeping your patches up to date (or you're running SocketShield), it won't happen, but lots of corporations _don't_ patch every month because of fears of compatibility issues. The idea is that if you're behind the corporate firewall, you're safe.

Here's how it works...

(1) The Bad Guys set up a legitimate greeting card from a reputable eCard firm.... pick one, any one... they're all vulnerable to this sort of attack.

(2) They construct a tricky link URL that takes the victim through an exploit server, on the way to the greeting card.

It looks a bit like this ...

It doesn't much matter that this URL looks a bit funny, because that's all hidden in the HTML. All the victim sees is something like ...

Click _Here_ to get your card.

What's happening is the is acting as a redirector, and sending the victim on to the greeting card, but ... _first_ it silently launches an exploit at the victim. If it's successful, it silently installs software in the background.

(3) You (might) get your greeting card, but you also get a keylogger and a rootkit.

I first noticed one of these cards in late July. It was using an MDAC exploit to install a keylogger and a rootkit, and had stolen about 200mb of data (bank accounts, credit cards, anything with a user id/ password). I then noticed a similar card about a month later, and when I checked my records, I found they'd been sending a new card about every week since early April. That's about 200mb of data per week, for five months!

The eCard scammers were quiet for most of September, so I thought they'd either stopped (hah!) or they'd gone to ground while they reorganize their exploit servers (and perhaps, get a new exploit ready). Alas, in just the last couple days we've seen a new crop arrive that we're now studying. More later...



Post a Comment

<< Home