For years, we’ve seen reports about criminals preying on internet users using prefabricated email appearing to originate from legitimate e-card companies. Criminals had used the brands of Regards.Com, AmericanGreetings.Com, GreetingCards.Com, and Hallmark.Com, just to name a few, on their campaigns.
Malicious e-card spam-the kind that leads users to download malware or phishing sites-is in the news lately. Usually, these campaigns pop up and peak whenever holidays like Easter and special occasions like Valentine’s Day are approaching.
However, there are also e-card campaigns that just randomly arrive in user inboxes unbranded. Regardless of whether these campaigns appear to have been sent by spoofed accounts or by people you actually know (whose accounts were probably compromised), the emails usually look simple, graphics-free, but overall spammy and, therefore, must be treated with enmity-i.e. Bin it!
In a recent find by one of our research engineers in the AV Lab, this e-card spam campaign not only came out of nowhere, it also carries the 123Greetings.Com brand and resembles the simple, graphics-free look of its legitimate email notification.
vs 
click to enlarge
From: 123Greetings.com
Subject: You have received a Greeting ecard from 123Greetings.com
Message body:
You have received a Greeting ecard from 123Greetings.comYou can download and view it by clicking here:
www(dot)123greetings(dot)com/(space)send/view/063071117097147476Using our new tracking feature, you can now view all the ecards received by you in the last 30 days. Your ecard is going to be with us for the next 30 days.
Based on user feedback, 123Greetings.com has launched 6 new pages with the best ecards in the Most Popular/ Most Viewed/ Highest Rated/ Latest Additions/ Popular Now and Always There Sections listed on the homepage. So hurry up and choose the best ones for sending them from the links below:
< links that lead to actual pages within the 123Greetings.Com domain >
Clicking www(dot)123greetings(dot)com/(space)send/view/063071117097147476 leads users to download the malicious file, card.exe. Running this executable file enables it to drop server.exe. server.exe is a backdoor program that, in turn, drops two copies of itself on systems-svchost.exe and services.exe: files that use actual names of Windows files-and connects to a PHP file hosted on a legitimate but possibly compromised news website in the Middle East. The said executable connects to this file in order to download more files or update itself and its copies.
The Labs has reason to believe that the spammer behind this particular e-card uses Umbra Loader, a popular do-it-yourself (DIY) botnet building tool, to distribute malware.
click to enlarge
Our friends at Webroot published a preview of the said tool not so long ago.
GFI VIPRE Antivirus detects card.exe as Trojan-Downloader.Win32.Umbald and the backdoor executable files as Backdoor.Agobot (fs). If you recall, the Agobot malware is capable of exploiting software vulnerabilities on affected systems.
So, dear Reader, in case you see this particular 123Greetings.Com email in your inbox, don’t just frown upon it. Bin it.
Jovi Umawing (Thanks to Patrick for spotting this)
Leave a reply
