Home Archive Fake Email Greeting Card Leads To Trojan

Fake Email Greeting Card Leads To Trojan

by Brett M. Christensen

Outline:
An email that claims to be a Greeting Card notification from All-Yours.net actually points to a malicious trojan.


Example:

Subject: You just recieved a E-Greeting.Hello ,

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:

http://www.all-yours.net/u/view.php?id=a0190313376667

visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667

(Your postcard will be available for 60 days.)



Detailed Analysis:
This email tries to fool recipients into believing that they have been sent a greeting card via All-Yours.net, an online greeting card website. The message asks recipients to follow an included web address in order to view their greeting card.

However, clicking on the link in the message downloads a trojan to the victim’s computer. The link is disguised using HTML so that it appears to be the address of a page on the All-Yours.net website. The message does not originate from All-Yours.net. The link actually points to a file named “postalcard.jpg.exe” located on another server.

All-Yours.net is a genuine online greeting card provider and has nothing at all to do with the message or its malicious payload. The hacker responsible uses this ruse in an attempt to capitalize on the popularity of All-Yours.net.

Opening “postalcard.jpg.exe” installs an mIRC client that can then be used by the hacker to gain access to the infected computer. Norton AntiVirus detects the threat as Backdoor.IRC.Flood.

If you receive an email similar to the one shown above, do not follow any links in the message unless you are sure that they lead to a genuine greeting card site. Holding the mouse cursor over a link in the email should display the underlying web address in your email client’s status bar and allow you to easily detect if the link is disguised. For example, the web address displayed in this fake email is:

http://www.all-yours.net/u/view.php?id=a0190313376667

However, holding the mouse cursor over the link reveals that the real web address is similar in format to the following sanitized URL:

http://(series of numbers)/foldername/postalcard.jpg.exe

The hacker has given the payload file name a double extension in an attempt to hide its true nature. The double extension may be enough to convince unwary recipients that the file is a harmless .jpg (image) file rather than a potentially dangerous .exe (Executable) file.

It is always a good idea to check the true destination of email links before you click on them.


Last updated: 27th September 2006
First published: 27th September 2006
By Brett M. Christensen
About Hoax-Slayer

References
www.All-Yours.net: Bogus Postcard Messages
F-Secure Weblog: Two massmailings underway
Backdoor.IRC.Flood
FREE Greetings and digital postcards – All-Yours FREE Greeting Cards

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer