There haven’t been many dull moments in Threat Operations Center over the past few weeks. Between multiple CNN spam updates which then morphed into MSNBC spam followed by fake FedEx non-delivery notifications last week, Britney Spears tabloid spam, and up to 30% increases in total spam volume, everyone has certainly been drinking from the fire hose.
We had a new guy named Tyler start recently as well who hasn’t yet run for the hills screaming in the midst of all of the chaos. Sounds like a keeper to me!
Beginning yesterday we started tracking the return of Hallmark E-Card spam. If you recall, sending out fake e-cards that lead to malware sites was a popular tactic of the Storm Worm. These new messages appear as if they are being distributed via the Srizbi botnet, but are largely the same as their Storm counterparts.
Below is a screen shot of a sample message that landed in one of our spamtraps:
As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible.
In many previous e-card variants all of the links within the email would point directly to the malware hosting site. This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the “here” link above to the malicious web site. All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real hallmark.com site point to. So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site. Seeing this, they may be more apt to click on the download link and become infected.
Emails associated with this new “e-card” appear to be from “E-Cards@Hallmark.com” and will have subject lines like “You’ve Recieved a Hallmark E-Card!”. The other tell tale sign of these fakes can be found if you mouse over (but don’t click!!) the “here” link as it links to an executable file like postcard.gif.exe as opposed to an actual web page.
Be on the lookout for these new fake Hallmark E-Cards, especially as we move closer to the Holiday Season (it’s still a ways off, but I am sure some stores will have Christmas items on the shelves soon!) as these are likely to become a popular tactic again for Halloween, Thanksgiving, and Christmas.
