Beginning of the end of legitimate eCards?
Thursday August 16, 2007 at 11:28 am CST
Posted by Allysa Myers
Unless you’ve been living in a cave without email access for the last year, you’ve probably gotten at least one (if not hundreds!) of the emails currently being pumped out by the W32/Nuwar@MM, aka the Storm Worm. The spam email templates have been getting updated on at least a daily basis lately, which is making this sort of a moving target. They’re all worded as variations on a theme of “somebody you know sent you an eCard greeting”, and include a link to a website which contains code that downloads a malicious executable. The name of this executable has been changing regularly, though not near as quickly as the texts of the emails. For the last several weeks it was “ecard.exe”, and in the last couple days it’s switched to “msdataaccess.exe”. (Thanks to Dmitry’s efforts, we’re able to keep up with this quite quickly)
Where this gets really interesting for me is how this is beginning to affect user behavior:
We’re starting to get samples from people who suspect they’re getting malicious Nuwar emails, which are in fact just plain old-fashioned eCard greeting notifications.
The thing is, they really are right to be suspicious. Sending eCard greeting notification messages with links in the body ceased to be a good idea several years ago, when the technique of sending emails with links to malicious files started to be regularly used by malware to spread itself. With Nuwar shifting around their emails so often to evade detection, it’s inevitable that the malicious emails will use wording which is similar to that used by major, legitimate eCard greetings providers.
It behooves the legitimate greeting card companies to come up with a sensible way around this, before it affects their bottom lines. They’ll need to find a way to get notifications to users that is at once convenient, and not such a huge target for use as a social engineering tactic by malware writers. Do I know what that would be, at this point? No, it really is a tricky problem. And it’s one that’s bound to be faced by other vendors as well (sites which send e-vites, for instance) in the near future.