Fake Email Greeting Card Leads To Trojan
An email that claims to be a Greeting Card notification from All-Yours.net actually points to a malicious trojan (Full commentary below
(Received September 2006)
Subject: You just recieved a E-Greeting.
A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:
visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667
(Your postcard will be available for 60 days.)
This email tries to fool recipients into believing that they have been sent a greeting card via All-Yours.net
, an online greeting card website. The message asks recipients to follow an included web address in order to view their greeting card.
However, clicking on the link in the message downloads a trojan to the victim's computer. The link is disguised using HTML so that it appears to be the address of a page on the All-Yours.net website. The message does not
originate from All-Yours.net. The link actually points to a file named "postalcard.jpg.exe" located on another server.
All-Yours.net is a genuine online greeting card provider and has nothing at all to do with the message or its malicious payload. The hacker responsible uses this ruse in an attempt to capitalize on the popularity of All-Yours.net.
Opening "postalcard.jpg.exe" installs an mIRC client that can then be used by the hacker to gain access to the infected computer. Norton AntiVirus detects the threat as Backdoor.IRC.Flood
If you receive an email similar to the one shown above, do not follow any links in the message unless you are sure that they lead to a genuine greeting card site. Holding the mouse cursor over a link in the email should display the underlying web address in your email client's status bar and allow you to easily detect if the link is disguised. For example, the web address displayed in this fake email is:
However, holding the mouse cursor over the link reveals that the real web address is similar in format to the following sanitized URL:
http://(series of numbers)/foldername/postalcard.jpg.exe
The hacker has given the payload file name a double extension in an attempt to hide its true nature. The double extension may be enough to convince unwary recipients that the file is a harmless .jpg (image) file rather than a potentially dangerous .exe (Executable) file.
It is always a good idea to check the true destination of email links before
you click on them.
www.All-Yours.net: Bogus Postcard Messages
F-Secure Weblog: Two massmailings underway
FREE Greetings and digital postcards - All-Yours FREE Greeting Cards
Last updated: 27th September 2006
First published: 27th September 2006
Write-up by Brett M.Christensen