During the last two weeks we've been receiving lots and lots of greeting card samples. So what happens is that someone gets an e-mail saying that they've received a greeting card from a friend, relative, or class mate and all they have to do to view it is to click on a link or go to a website and enter their eCard number. Below is an example:
Pretty much all of the messages we've seen have used a visible IP address as the address to download the greeting cards from. The fact that it's using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link.
As today is the 4th of July – Independence Day in the United States, it wasn't a big surprise that there has been lots of malicious 4th of July greeting cards going around. They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them.
What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded. It goes without saying that we're adding detection for them as we see new samples.