Think you got a cheery greeting card from a friend via email?
Well, think again, and be careful before opening it. A new form of fake e-card notification e-mails are unleashing nasty viruses and virus-carrying Trojan horses on unsuspecting users.
While e-card-triggered viruses and Trojan horses are not new, the latest versions are becoming more difficult for typical anti-virus and anti-spam defenses to detect, according to alerts issued today by security software vendors Avinti and F-Secure.
The new complication, said Dave Green, chief technology officer at Lindon, Utah-based Avinti, is that the latest slew of fake e-card email notifications are using plain text in their messages, which don't get scanned and scrutinised by anti-virus and anti-spam defence applications. While the emails don't contain pasted links or attached files that a recipient can click on to get a computer infection, many email clients automatically convert the included text into a clickable link when the email clients recognise a web address in the text.
"It appears they have done that to get around a lot of the parsing used by anti-virus and anti-spam applications" to fight such attacks, Green said. "It's an interesting cat-and-mouse game between the bad guys and the good guys."
"Apparently, they've found that they can be very successful in getting these through by not having it be formatted as an HTML message," Green said.
All recipients have to do to trigger the virus is to click on the link created by the email client once they have read the message, he said.
Adding to the confusion and the potential seriousness of the problem, he said, is that the perpetrators sending these emails are using the names of some of the most popular electronic greeting card companies in their messages and web links.
Avinti said it has updated its Avinti Isolation Server product to protect against such attacks, while other vendors are still updating their own products.
Avinti's alert said the links to the fake e-greeting cards lead to IP addresses in various locations, including the US and Eastern Europe, and many are registered to US Internet service providers. The damaging payload files are new variants of the Storm Worm virus that was first detected in January, the company said.
In its alert today, Helsinki, Finland-based security vendor F-Secure said the fake e-card messages from one group of online criminals appear to have changed since last night, when they dropped the use of attached files and went to plain-text messages.
An included link then tells the recipient to install a free "Microsoft Data Access" application to retrieve the e-card, but that file - msdataaccess.exe - is a damaging virus. F-Secure said it has identified the virus as Email-Worm.Win32.Zhelatin.gg.
Danny Allan, director of research at security analysis vendor Watchfire, said he has seen similar all-text e-greeting mailings before, but the numbers have increased lately.
For anti-virus and anti-spam vendors, the theory had been that if the message includes plain text without links and attachments, it could cause no harm, he said. That approach has to change, Allan said.
Users need to be cautious and not click on links they find in emails, Allan said. Instead, they should go directly to a website by typing its address into a web browser and go there on their own, bypassing links that could be malicious.
Vendors will have a tough time making the problem go away completely, he said, because they can't devise ways of evaluating every Web link or instance in an email. However, they can improve detection of suspicious encoded characters and domain names in messages.
"If there was a silver bullet that could solve the problem, the anti-virus companies would have done it," Allan said.
Zully Ramzan, a senior principal researcher at Symantec's security response team, said Symantec has seen plain-text attacks before and doesn't view them as a new problem.
"There's been a bit of a resurgence lately" with e-card notification messages, possibly because of last month's July 4 holiday or because criminal groups have been organising mailing campaigns, he said.
Andrew Jaquith, a security analyst at Boston-based Yankee Group Research, said the latest e-greeting attacks are an example that criminals "are going to be coming up with more and more ingenious ways of tricking people or exploiting ways of tricking your e-mail client. This is just one of any number of ways that these guys are going to try to lure users to do something they shouldn't."