Sponsored by..

Monday, 26 March 2007

Fake "BlueMountains Greetings" message with a trojan


Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

From:
BlueMountains Greetings <greetings@BlueMountain.com>
Subject:
You just received an Electronic Greeting.

Hello,
you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999

(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks
for using BlueMountain.com.


In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:
  • Select Match Any
  • Sender | contains | bluemountain.com
  • Body | contains | kokocards.com
  • Body | contains | bluemountain.com
  • Set message disposition to Quarantine Redirect
  • Don't forget to copy it to sub-orgs if you need to!

No comments: