Saturday, February 26, 2011

Email that says "You've received a greeting from a family member!" (Nov. 17, 2006)

Current mood: aggravated

I pride myself on never having been seriously affected by PC viruses. Add to that things like spyware, trojan horses, tracking cookies, popups, and other subversive "malware" that somehow finds its way onto many people's computers. Not that I never have been infected, just that I have never been laid low by them.

I run a pretty tight ship:
* Up-to-date anti-virus software
* Up-to-date operating system service packs and weekly fixes
* Three different anti-spyware packages
* Daily (overnight) automated scans of my entire computer by some combination of these

Beyond that, I avoid Microsoft products in favor of Mozilla for my browser (Firefox, v2.0 just released) and email system (Thunderbird), since they are less likely to be piggybacked-upon by such malware, and more likely to catch it in the first place. They're also free, and run on anything.

Still, beyond all the protection software available, it all comes down to how vigilant one is about recognizing and avoiding malware. This past week, one of them fooled me, so I'll share my newfound wealth of knowledge.

It came as an email to my wife, arriving the morning of her birthday a few days ago. The title was "You've received a greeting from a family member!", and landed in our generic Inbox. (I have a collection of filters to redirect incoming mail to any of several subfolders.) Since she receives emailed postcards from various friends and family on a consistent basis, I just manually moved it, unopened and unpreviewed, to one of her folders, and didn't give it another thought.

Fortunately, she picked up on its potential for scam, scum and spyware.
* It was not clear that it was sent by any identifiable person, known or otherwise
* It was not clear that it was to her in particular
* It was not clear exactly what company it was emanting from (not Hallmark, etc.)
* It was not clear that it had anything to do with her birthday, or any other occasion
* Thunderbird identified it as a potential scam

What it contained was a link. This part almost fooled me. What it appeared to be was not what it was. If clicked, it would try to download and execute a program. Furthermore, the text of the link -- the part that showed in the email -- did not match what actually got run. If you have your status bar turned on (click View on the top menu, and see if Status Bar is checked), and hover over the link, you should see what the link really does.

As an example, try this one. This link, if clicked, will not take you to Playboy magazine: http://www.playboy.com. Go ahead; click it! You won't be sorry! Or, instead, hover over it, and look at your status bar. You should see http://www.vatican.va/phome_en.htm, the English home page for The Holy See (i.e., The Vatican). The email contained a similar underhanded switcheroo.

So you see, on the Internet, unless you're very careful, what you see might not be what you get!

How I figured out that the email was a scam was to do a Google search on the name of the program it was trying to run, "postcards.exe", as well as a search on "virtual postcard from a family member", a key phrase in the email. Both of these returned several hits which explained the scam.

What the thing would have done, had I bit, is to install a program, without my knowledge or permission, which would converse with some server somewhere, accepting commands from that server to do who-knows-what on my computer. Details, go here: http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.IRC.Zapchast&threatid=43753


Consider yourself warned. caveat clicktor

* * * * *

Comments


Stuart Strickland
Stuart Strickland This must have been the beginning of a trend. Since this post, hundreds of "You've received" spam emails have come my way. Rarely a day goes by that I don't get 10 or more! Argh!!

4 years ago

1 comment:

Blogger said...

BlueHost is definitely one of the best web-hosting provider for any hosting plans you might require.