Content

Not Every Card Offers Well Wishes

Internet marketing and viruses have much in common: they are annoying, unwanted, and usually arrive by email.

Another trait they share is a constant exploration for new vectors to attack: new ways to dupe the target into spreading a worm, visiting a web site, or relinquishing some personal information.

It was surely only a matter of time before electronic greeting cards became a target. In fact, I'm amazed it's taken this long. I've long complained at people who send me missives from certain desktop e-card creation tools, since some of them create cards in Windows executable files, a favorite virus vector. Would you open GREETINGCARD.EXE, even if it came from someone you know? Actually most people would, which is why it's such an ideal vehicle for a virus or worm, or spam for that matter.

It must have taken some effort, but an online mass-marketing company called FriendGreetings managed to combine elements of spam, virus and mail abuse into a single package, releasing a fake e-card which requires the recipient to install an "e-card viewing" ActiveX control. The software is in fact a worm in all but name, and proceeds to mail itself (complete with fake e-card) to every entry in the victim's Outlook contacts list. It has no known harmful payload, but that's not entirely relevant - there's no guarantee the next one won't include a distributed denial-of-service (DDoS) agent, backdoor tool, spy/ad-ware or something similar.

Strictly speaking, Permissioned Media didn't actually do anything wrong, or at least anything illegal. The full details of what the software is going to do is clearly spelled out in the second of two end-user license agreements, which must be accepted by the user before it was installed. "Permissioned Media will access your MicroSoft [sic] Outlook® Contacts list and send an email to persons on your Contacts list..." it says. Several times, in fact, even if you do have to scroll down the EULA a little to see it.

It's obvious that Permissioned Media knew full well just how many people actually bother to read the EULAs at all, even assuming they would be dissuaded from clicking "Yes" had they read that far anyway.

As a delivery vehicle, it's nearly perfect - a captive audience who provide not only the market but also the medium for distribution.

However, as marketing campaigns go, it's probably done them and many innocent e-card vendors a great deal of harm. You've now got a large user-base of disgruntled e-card recipients, who will view the next one with great suspicion, and who will certainly think twice before sending one off in future. Or will they? Repeated instances of worms hasn't dissuaded many users from gleefully opening potential pictures of Anna Kournikova or love letters from people they barely know.

This was the second e-card debacle to happen in the space of a few days. Just prior to FriendGreetings' little escapade, a charming bunch called surprisecards.net was discovered to have initiated the distribution of similar malware, this time with a nasty pornographic payload. An email message designed to look like a greetings card, complete with a fake "[email protected]" source address, lures the victim to a fake greeting card web site where software must be installed to "view the card." Except that no card appears - which was a fortunate misstep by the vendor, alerting some users to the possibility that all was not as it seemed. Instead, the software installs an Internet Explorer plugin, which thereafter generates an avalanche of popup windows advertising pornographic websites, based on keywords it finds in other sites the user visits.

So there we have an unlovely combination of spam, privacy violation and offensive advertising, probably crossing the line into acceptable use policy violation in corporate environments. Will the next one be an outright virus? Quite possibly - aspiring virus writers will not have failed to notice the effectiveness of these two campaigns.

As ever, the efforts of a few may have ruined the experience of the many. E-card service providers will have a difficult time reassuring users that their own offering is benign and devoid of unexpected consequences. That's assuming their products can reach end users at all: I have no doubt many mail gateways will be blocking e-cards on sight, and anti-virus vendors have already reacted to these incidents with pattern files to block these particular attachments, despite EULA loopholes.

The final twist is almost laughable: the surprisecards.net domain is registered to Cytron CEO Richard Oliver, who Wired Magazine quoted in 1998 bemoaning the advertising overheads in selling porn online.

Jon Tullett is U.K. and online editor for SC Magazine (www.scmagazine.com).
 
 

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.