A few weeks ago I got a fairly genuine looking ecard email but something about it triggered my suspicious so I did some further checking of the mail message and spotted that the from address didn't match the listed name and that the link for the ecard was an IP address rather than a website.
The link itself displays a message "If this card does not download in 15 seconds click this link" and the link takes you to an .exe file so obviously not a legitimate site!
This was about two weeks ago, since then the number of emails I'm getting with this type of exploit has been steadily increasing so it appears that there is a trend increase for this type of attack and it does make sense. This type of attack is less likely to be stopped by mail filtering, will not trigger an IPS alert and probably won't be stopped by local anti-virus software - Hopefully the .exe file that the site points to will be stopped by local AV.
I've downloaded the .exe but not had a chance to see what it does. I will be analysing it in more detail later on today and will blog back here in the meantime keep a watch out for dodgy ecard emails.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox