Beware E-Cards!

I saw two recent reports of malicious email containing innocuous-looking e-cards that reinforce a basic rule that should be part of every organization's security training: Do not ever, EVER click on any attachment (particularly an e-card) unless you are expecting it.

A number of people who should have known better didn't follow this advice. Read on...

In the first case, Krebs on Security reports on a fake Christmas card that appeared from the White House which led to gigabytes of sensitive files being uploaded to a server in Belarus. Merry Christmas, indeed. The card read, in part:

“As you and your families gather to celebrate the holidays, we wanted to take

a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission."

Recipients who clicked the links and opened the file were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus. The bad guys managed to collect more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims. According to Krebs on Security, among those who fell for the scam e-mail were:

-An employee at the National Science Foundation’s Office of Cyber Infrastructure.

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts.

-An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

-An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

There certainly were others. You can read all the details here.

The second case is reported in Threatpost and describes an attack that recently emerged and is (again!) sending millions of emails that appear to be holiday e-cards. The messages all contain short messages similar to this:

Tom has created a New Year ecard.

To view this page please click here: hxxp:maliciousurlgoeshere.com

This message will be stored for 14 days.

Unsuspecting - or untrained - victims who click on the link in the email were sent to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine.

You can read the full account here.

The bottom line from both these stories is that your sensitive data are only as secure as the least trained user. Remember that when you plan your PCI training for campus merchants and administrators.

In fact, this might be a pretty good lesson for everyone on campus that has email.