dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
January 2005

   Dynamoo 2005

 

 

 

Warning: "Aunt Edna" email from postcards.org

13th January 2005

Note: these email messages are not being sent out by postcards.org.


A number of email messages are circulating, claiming to be from postcards.org carrying a message from "Aunt Edna". These appear to be sent to addresses that commonly receive spam, indicating that perhaps the senders are using spam lists.

The format of the message varies slightly, but it appears to be similar to the following:

    You have just received a virtual postcard from Aunt Edna!

    You can pick up your postcard at the following web address:
    http://www.postcards.org/?35-dodge-treads-aunt

    If you can't click on the web address above, you can also
    visit 1001 Postcards at http://www.postcards.org/postcards/
    and enter your pickup code, which is: 35-dodge-treads-aunt

    (Your postcard will be available for 60 days.)

    We hope you enjoy your postcard, and if you do,
    please take a moment to send a few yourself!

    Regards,
    1001 Postcards
    http://www.postcards.org/postcards/

    P.S. If you're happy with our service, let us know by
    making a donation to help us pay our server hosting costs!
    Please visit our donation page at Amazon.com!
    http://www.amazon.com/paypage/PHVNBUIYDIUYD98QH

    ------------------------------------------------
    Introducing the 1001 Postcards weekly newsletter!
    Click here to subscribe for free to 'Greetings from Marty & Alice':
    http://browse.postcards.org/go/postcards/newsletter?action=subscribe&email=[munged]
    ------------------------------------------------
    sender-ip: 93.52.41.77

The mail uses a trick similar to many phishing emails, in that the displayed link of http://www.postcards.org/?35-dodge-treads-aunt is actually is disguised link to another server or PC, possibly belonging to an innocent third party. However, the page consists of several exploits that affects Internet Explorer, during tests our anti-virus software stopped this. Mozilla/Firefox will also load the exploit code, although it is not know if those browser are vulnerable. This appears to download a variant of the CoolWebSearch trojan, which is a particulary unpleasant application. In this case the IP address of the server is 4.40.128.96, port 8180 and the target directory is called /009/ (I deliberately haven't made this a simple URL as it is still valid at the time of publication). In this case the email originated from 83.25.234.72 in Poland.

Note that the "dodge-treads-aunt" text seems to be common across different variants of the email, although the prefix number varies. In any case, the displayed URL is completely bogus and could read anything at all.

If you have clicked on this email we recommend that you try Microsoft Anti-Spyware or CWShredder to disinfect your system, plus a run through with your favorite anti-virus software. Note that Firefox should be less vulnerable to this kind of exploit. We were also using the full version of Eudora 6.2 which has built-in anti-phishing protection to help protect against bogus emails of this type.

If we find more information we will post it here.

 

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy