Greeting Card Scam

Beware of the next electronic greeting card you receive. It may not be quite so friendly.

An e-card scam is circulating. It is conning people into clicking onto a phony Web site where they can download a virus or enable an attacker to steal away with their address book so they can spam unfortunate souls co-workers and friends. Unfortunately, the recipients of the E-mail will then unwittingly carry out the whole sorry cycle over and over again.

This latest e-mail scam is fooling E-mail users into spamming everyone in their Microsoft Outlook E-mail address book with an electronic card. People receive a link to an e-card site FriendGreetings.com. If they click on the link, they are invited to install some computer code (a program) in order to view their e-card.

By running the program they are also unwittingly giving their permission to send a similar message to every one they have listed in their own e-mail address book.

Such aggressive marketing tactics are not new and technically speaking may not even be illegal. With the festive season just around the corner, we are likely to see an increase in these types of scam campaigns.

How were these rip-offs identified in the first place?

Security and Anti-Virus companies have been receiving many calls from users concerned that they have passed on a virus to their friends or colleagues. Strictly speaking this particular E-mail is not a virus, but it can cause as just about as much trouble. By flooding the Internet with unwanted e-mails, this "malware" can be just as much a problem as a genuine virus.

Who are the most vulnerable?

Because businesses are most likely to have large "contact" lists in address books, companies should be especially careful and inform their staff that running programming code from the Internet can be particularly fraught with danger and should be treated with a great deal of caution. Usually it should only be allowed if permission has been given by their information technology department or management.

How do these unscrupulous types get away with this behaviour?

These days anyone downloading anything from the Internet must also be prepared to read the small print in any agreement they sign up to. This is generally where you will find the agreement you have unwittingly become a part of.

Today, too many people still blindly believe everything in their inbox when simple safe computing procedures can reduce the risk of spreading a whole range of Internet nasties. If you can't confirm it -- don't believe it.

Why would anyone produce this type of malicious system?

It's a spam scam, really. Whilst the email itself does not contain a virus, it directs people to a Web site where they can download a virus. More likely they will download everyone in your address book and filter that back to the offending Web site. Then they can use all those company addresses for a virus attack or spam.

How do we protect ourselves from Greeting Card scams?

It's fairly simple to distinguish a real e-card from the scam. When you visit a greeting card Web site, you should be able to view your greeting automatically. It certainly should not be necessary to download anything! If the site is requesting that you download anything -- don't and get out of there -- fast!
The Web site originally mentioned in the email, according to one specialist company, was hosted by FriendGreetings.com. Unfortunately there have also been variations on the original email that contains links to several similar Web sites, such as cool-downloads.com or .net, and friend-cards.com or .net.

How could anyone recognise this virus if they received it?

At the time of writing, this worm sends email with varying subjects and message bodies. The following is a list of subjects found on email sent by this worm:
<YourName> you have an E-Card from <Sender>
<YourName> you have a greeting card from <Sender>.
<YourName>, you have a funny card from <Sender>
<YourName> you recently received a postcard sent by <Sender>
<YourName> you just received a postcard from <Sender>
just emailed you a postcard - <Sender>
just posted you a postcard - <Sender>
<YourName> you have received a postcard sent by <Sender>
<Sender> today sent to you a postcard :<YourName>

The worm sends out E-mail messages with content similar to that below:

<YourName>,
has sent you a greeting card -- a postcard from
Friend-Greetings.com. You can pickup your greeting
card at Friend-Greetings.com by clicking on the link
below.

http://www.friend-greeting.com/203791/pickup.html?code=<blocked>&id=0811025
Message:
------------------------------------------------------------
<YourName>
I just sent you a greeting card - please pick it up.
------------------------------------------------------------

Once a person clicks the address on this message, they are prompted for the installation of this worm virus. As soon as the installation concludes, the worm immediately spams another set of recipients. This worm also sends out messages that contain links to the following Web sites:

How do we get rid of the Worm (virus) if it is on our system (for the technically inclined)?

Click Start, select Settings then Control Panel.
Under the Control Panel window, click the icon Add/Remove Programs.
In the list of applications, select FRIEND GREETINGS then click the Add/Remove or Change/Remove button.
Restart your computer.

Uninstall the Winsrv Reg Application
The application Winsrv Reg is installed along with the FriendGreetings Application. Note, however, that Winsrv Reg is also installed by other legitimate applications. If you did not install another application that uses Winsrv Reg or if you are unsure, it is advisable to remove Winsrv Reg from your system.

Click on the Start, select Settings then Control Panel.
Under the Control Panel window, click the icon Add/Remove Programs.
In the list of applications, select Winsrv Reg then click the Add/Remove or Change/Remove button.
Restart your computer.

Arthur Hissey
Computer Research & Technology
www.crt.net.au