Some Holiday Greetings Aren't So Cheerful

December 16, 2013 | by Fred Touchette | AppRiver, Digital Degenerate, ecards, Hallmark, securetide, Security

shiny black glass ball christmas ornament 7 180mm Every year around the holidays we begin seeing fake E-Cards laden with malware hitting our filters. This year is no exception. The bad guys know that this little disguise of theirs just may get their intended victims to drop their guard for just long enough to be successful. Some people prefer the ease of creating and sending these electronic versions of holiday cards in lieu of licking all of those envelopes. As a result many people are used to receiving these, sometimes en masse, during this time of the year. This is just the cover that the malware authours thrive on.

ecard resized 600

One of the more common themes that cybercriminals like to spoof is from a company that is well known for its greeting cards, Hallmark. A big wave of them came in not too long ago that were missing some of their graphics, but usually they're dressed to the 9's and can be quite convincing. A couple of the dead giveaways here are, the aforementioned lack of graphics, and more importantly, the use of an attachment. I personally have never seen a legitimate ecard sent via attachment, always a link to "open" the card. Now, with that being said, I must clarify that just because you receive an ecard with a link, doesn't always make it legitimate, quite the contrary. Many of these are dressed up much better than this most recent example and utilize these links to get you to malware that is remotely hosted.

This particular malware behaves a little like Zeus in that it injects itself into running processes to hide itself and waits for account credentials. In addition, this malware makes a firewall exception for a newly created file by the name of AdobeARME.exe and adds this file to all startup areas so that if the victim computer is shut down, the malware will reload when it's turned back on. The malware then modifies the security settings by disabling security notifications and begins to search for and disable any active Anti-Virus on its new host.

As is always the case, be on the look out for these malicious ecards. Only click on links that you know are safe and are from known sources and you will help make sure that your holidays will remain cheerful ones.