Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    eBook    Contact
Bookmark and Share

Fake Email Greeting Card Leads To Trojan

An email that claims to be a Greeting Card notification from actually points to a malicious trojan (Full commentary below).

Example:(Received September 2006)
Subject: You just recieved a E-Greeting.

Hello ,

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:

visit E-Greetings at
and enter your pickup code, which is: a0190313376667

(Your postcard will be available for 60 days.)

This email tries to fool recipients into believing that they have been sent a greeting card via, an online greeting card website. The message asks recipients to follow an included web address in order to view their greeting card.

However, clicking on the link in the message downloads a trojan to the victim's computer. The link is disguised using HTML so that it appears to be the address of a page on the website. The message does not originate from The link actually points to a file named "postalcard.jpg.exe" located on another server. is a genuine online greeting card provider and has nothing at all to do with the message or its malicious payload. The hacker responsible uses this ruse in an attempt to capitalize on the popularity of

Opening "postalcard.jpg.exe" installs an mIRC client that can then be used by the hacker to gain access to the infected computer. Norton AntiVirus detects the threat as Backdoor.IRC.Flood.

If you receive an email similar to the one shown above, do not follow any links in the message unless you are sure that they lead to a genuine greeting card site. Holding the mouse cursor over a link in the email should display the underlying web address in your email client's status bar and allow you to easily detect if the link is disguised. For example, the web address displayed in this fake email is:

However, holding the mouse cursor over the link reveals that the real web address is similar in format to the following sanitized URL:

http://(series of numbers)/foldername/postalcard.jpg.exe

The hacker has given the payload file name a double extension in an attempt to hide its true nature. The double extension may be enough to convince unwary recipients that the file is a harmless .jpg (image) file rather than a potentially dangerous .exe (Executable) file.

It is always a good idea to check the true destination of email links before you click on them.

References: Bogus Postcard Messages
F-Secure Weblog: Two massmailings underway
FREE Greetings and digital postcards - All-Yours FREE Greeting Cards

Last updated: 27th September 2006
First published: 27th September 2006

Write-up by Brett M.Christensen