• Related Tutorials:
• Spoofed Emails
• Spoofed eCard
• Detect Fradulent Emails
• Real eBay Mail?
• Is this PayPal button?
• Filter Spam
• Beware of Phishing Scams
• Tutorial Index:
• Misc tutorials

Spoofed eCard Emails -- an example of a dangerous one

We received a spoofed email that had an from-address of an reputable ecard website. This reputable eCard site did not send it. The mail was forged by a spammer to make the email appear as an legitamite email. The bad part was that attached to the email was a potentially dangerous executable file.

In this tutorial, we will show you how to spot these spoofed emails and watch out for dangerous attachments.

1. I have AutoPreview (not AutoPane) turned on in Microsoft Outlook so that I can view a few lines of text in email to determine whether they are suspicious or not.

I see this mail come in that says I got an eCard from a family member. How did they know that it was from a family member and not an acquaintance or friend? Because people who sends eCards from sites typically are not asked to identify the relationship to the addressee. Fact is, they do not. Spammers made up a catchy subject line just to entice people to open the mail.

I did not see my name in the first few lines of the email preview. Legitimate eCard almost always asks for the name of the addressee and places that name in the first few lines.

The from-address actually does show the name of an legitimate eCard company. However, we all know that from-addresses on these types of emails are always forged. So it does not mean anything.

2. The mail is suspicious. I do not double-click nor open it. Simply opening it with images turned on will send out a web beacon to the spammer to indicate that the mail as arrived at a valid destination. So you don't want to inform spammers that they got your correct email adddress.

3. At this point, you can delete the email. But I will examine it further being careful not to trigger anything dangerous. I do a File -> Save As an HTML file to my local drive.

4. I open this file with notepad (and definitely NOT a browser) so that I can view the code.

I see the call-to-action text asking me to pickup postcard at the web address mentioned. Then I see an <a> tag of the web address. The important thing to examine in the <a> tag is the href attribute. This is where you will be taken if you clicked on the link. The display name of the link can be anything and can even look legitimate. However, that is not material here. The href the real link.

In this example, the href is to an IP address of a server owned by the spammer. That address doesn't even have a domain name which is even more suspicious.

The most dangerous part is that the URL is to an excutable .exe file -- postcard.exe. That means that if the link is clicked the executable file will attempt to run. Whether it is success in running depends on how much virus protection you have on your machine and how updated your browsers are.

You never want to trigger these executables to run. Because most likely they are either adware, spyware, virus, trojans, and the like. If you accidentally trigger the executable to run. You need to get the latest virus and spyware scanner and run it on your system.

5. We did a Google of the words in the subject line of the email and found that this is a form of the Aunt Edna virus and this is how the exploit attempt to work. You can see from the dates of those artices that these exploits are nothing new. Here is more information from scambusters.org.

More

For related tutorials see sidemenu.