Ecards and Reverse Russian Bride Scams

Filed Under: Malware, SophosLabs, Spam

Some things never go out of fashion, including it would appear spam that promises an ecard but delivers malware.

The latest batch is a basic variation on the old theme, with "dear friend" in the To address and the following message body:

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

http://(domain removed)/e-card.exe

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

http://www.greetingcard.org

You'd hope a legitimate ecard site would be able to spell "available". If you did follow the link, you'd find we proactively detect the executable as Troj/Meredr-Gen.

In fact we've been seeing a fair bit of activity from this family of malware, but not always related to ecards, and not always delivered via a link - for example we saw members of the same family as attachments in campaigns that look like a weird "Russian bride" variation on 419 scams. Subjects were variations on "hi love" and "Hi my favourite girl", and here's an example message body:

holaaa mine swet the girl....
Today I had pleasure to read your letter again.
Do not worry your problems will be corrected.
My excitements do not have a limit.
Now I have holiday.
Now I will have complexity to write often but I will try always to inform you.
I have received a few money from the bank, 765.05$, and I ask, that you were exact.
I hope that you will arrive to me 26-08-2008 and we will be together.
My house is ready for a meeting you.
I hope that you will not destroy my heart, and will arrive to me.
Any of your acquaintances and relatives can receive money. I have paid for it 75$
I also, as well as a question on the control.
Question: For what it?
The answering: Letters, love, wedding.
Having made it you or any other person can get transfer in western union.
I have sent you a copy of the document and you to look it.
I hope this sum enough now I go to work.
To wait this that that I now I worry.

Instead of offering a Russian bride for sale, which we see all too often, this spam comes from the other direction entirely. It claims to be from someone who's already bought himself a future wife ... and he thinks you're it! Now he wants to send money for you to join him, and all you have to do is open the attachment to get the details. If you were too curious, or if you think you might want to take this lonely man's money, you'd find yourself opening a Troj/Meredr-Gen executable.

Two very different vectors, but two very similar pieces of malware. Think before you click!

You might like