Sponsored by..

Monday, 26 March 2007

Fake "BlueMountains Greetings" message with a trojan

Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

BlueMountains Greetings <greetings@BlueMountain.com>
You just received an Electronic Greeting.

you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :


(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

for using BlueMountain.com.

In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:
  • Select Match Any
  • Sender | contains | bluemountain.com
  • Body | contains | kokocards.com
  • Body | contains | bluemountain.com
  • Set message disposition to Quarantine Redirect
  • Don't forget to copy it to sub-orgs if you need to!

No comments: