That e-Card may not contain the easter egg you’re expecting

Did someone send you an e-card? Check those links before you view it.

Sample message content

Sample message content

Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet and filtered by our anti-spam solutions for a considerable time. Sophos’ Graham Cluley reported on this activity last year and on the convictions of some of the people involved last month — however, the faux cards continue to flood people’s in-boxes and claim victims.

Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site… which is designed to load malware such as Mal/Zapchas-A onto your computer.

For example, messages that used to contain text such as:


You have recieved a Hallmark E-Card.

To see it, click <a href=”http://iulia.samplesite/e-greetings.exe” target=”_blank”><strong>here</strong></a>

now contain:


You have recieved a Hallmark E-Card.

To see it, click <a href=”http://helukabeli.samplesite/index3.html” target=”_blank”><strong>here</strong></a>

which takes you to a page with the following source:

http-equiv=”refresh” content=”0; url=http://pai.samplesite/greetings.exe“>

The result of this code is that the link in the email effectively points to the greetings.exe file. Note that Firefox 3 users can alert themselves to this activity by checking the “Warn me when web sites try to redirect or reload the page” checkbox in the Advanced tab of Firefox Preferences. This feature is disabled by default.

While most people in today’s climate are cautious about clicking links on emails from unknown senders, spam messages such as these — appearing to come from a respected source — can slip under the radar, especially around holidays when you might be expecting friends and family to send you a quick “thinking of you” using these services.

Before you click, following a few simple guidelines could save you from a nasty headache. First, ensure that your anti-virus protection is enabled and actively scanning files you download, and that it has the latest updates. Second, review the link in your mail client to verify it matches the expected sender. Some mail clients allow you to hover your mouse over the link to see where it links to — for some you might need to copy the link and paste it into a text editor in order to see where it goes.

The simplest thing you can do though, is avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body.

And of course, nothing beats a handwritten card for impact in this era of instant communications.