Holiday Scammers' E-Greeting Card Tactics

As e-tailers prepare for a booming online shopping season, e-scammers are already making moves to gather stolen identities.

Researchers at Exploit Prevention Labs recently uncovered a major cyber criminal ring operating in Australia using what appear to be Yahoo (Nasdaq: YHOO) Greetings e-cards to infect thousands of computer users with malicious keylogger malware. Attackers used the malware to steal credit card numbers, bank account usernames and passwords and other personal information.

Accounts at nearly every Australian bank were affected, according to Exploit Prevention Labs. The criminals did not stop there, though. Researchers have discovered further evidence that the malicious e-card spammers have expanded their operations with confirmed targets in North America, Europe and Asia using a variety of e-card supplier accounts.

"I've never seen anybody using an exploit via an exploit server," Roger Thompson, Exploit Prevention Labs' CTO, told TechNewsWorld. "This scam is slick because victims don't see the redirective from Yahoo to the phishing site. If you are not patched, you get nailed."

Beware of E-Cards

Here's how it works: The attackers accomplish their "slick" scam by placing the malicious hyperlink in the e-mail , which first sends the user's Web browser to an exploit server.

The exploit server checks to see if the user's Web browser has been patched for the latest software vulnerabilities. If it's unpatched, the server silently force-downloads a rootkit and a keylogger onto the user's computer before redirecting the Web browser to an authentic Yahoo Greetings card.

On the user-facing end, the victim clicks the link to view the card. However, the card does not let them know who sent it. The victim closes the card and goes about his business. Little does he know a rootkit was delivered to his PC before he even picked up the card.

"Previous e-card attacks and resulting infections have been slanted more toward denial of service, spam relay and virus propagation -- this one is much more dangerous to users because their financial information is at risk," Minoo Hamilton, senior vulnerability researcher for nCircle, told TechNewsWorld.

VML Memories

The actual exploit, known as Mdac, has been gaining popularity among cyber criminals. The Mdac exploit code is launched by a WebAttacker script, which was developed by Russian cyber criminals. WebAttacker is the most prevalent Internet-borne exploit generator, security researchers report. It was also behind the new VML exploit, which made news in September.

Systems that are up to date on patching should not be vulnerable to the original version of this e-card exploit, but according to Thompson, the latest version of the e-card scam is significantly different, and is indicative of an escalation of the threat.

"We started tracking Mdac back in June, shortly after WebAttacker was upgraded," Thompson said. "Initially, it was just a tiny blip on the radar, registering 0.5 percent in our Exploit Prevalence Survey for that month. In July, it was up to 3.51 percent, and last month it reached 6.69 percent. If that pattern continues, we can expect to see both vendors and traditional anti-malware vendors experiencing significant problems in trying to keep up with the threat."

Prepare for the Onslaught

With e-card traffic doubling during the holiday season, nCircle's Hamilton expects similar scams to emerge over the next few months.

"E-cards are the perfect social engineering construct because they appear to come from someone a user trusts, they present information that people are excited to receive, and unlike other phishing e-mails, users are inclined to take action because their defenses are down," Hamilton warned. "Even very computer savvy users can be taken in by this type of attack because the typical red flags are very hard to detect."

Indeed, those responsible for phishing attacks may lack morals, but they certainly don't lack creativity. They will take advantage of any event so long as it is likely to increase the success of a social engineering attack, according to Michael Sutton, a security evangelist at SPI Dynamics.

"In the past, I've seen phishers take advantage of INS filing deadlines and natural disasters and they will no doubt also take advantage of the upcoming holiday season. The sad part is that they often tend to prey on the kindness of others by posing as charitable organizations which is more likely to succeed during the holidays when everyone is in a giving mood," Sutton told TechNewsWorld.

I Love You ... Sucker

This latest attack reminds Sutton of the "I Love You" virus that hit back in 2000 in its approach to social engineering. It takes advantage of people's emotions by delivering a greeting card from an unknown source.

Scams like this work for two reasons, Sutton said. First, social engineering works well in general. The weak link in the security chain continues to be the human element. People are curious and it's that curiosity that fuels social engineering attacks. Second, despite efforts to make patching a seamless process, a large percentage of computers remain unpatched for long periods of time.

"This is a good scam and it's hard to defend against. They were using a five-month old exploit and still managing to catch people," Thompson said. "We assume that this scam will be in use for months to come yet."

Self-Preservation 101

As Thompson noted, the unpatched users were the victims of the Australian scammer's attack. Security researchers recommend Internet users enable automatic updates in the operating system and client software. Antivirus software does not necessarily help combat these attacks, he added, because these exploits circumvent that software by exploiting a known vulnerability.

"We're at the point where patches must be applied in a matter of hours as opposed to days and for most people this simply won't happen if the patching process is a manual effort," Sutton argued.

"Beyond this, people need to be wary of opening e-mail from unknown sources and with unexpected content. If a message seems suspect, it probably is," he continued. "Phishing attacks are becoming increasingly sophisticated and given the ease of creating a professional looking message from a spoofed source, HTML formatted e-mail provides a strong medium for social engineering attacks."