Seen in the wild: Example greeting card scam

Faithful blog reader Jack Duggan sent me this little example of greeting card malware:

Date: Tue, 26 Sep 2006 18:37:33 +0000

From: Abigail

Subject: You've got an "e-card" at .greeting-cards.com..

Reply-to: Abigail

User-Agent: Mozilla 4.73 [en]C-SYMPA (Win98; U)

Original-recipient: rfc822;jxduggan@optonline.net

Dear recipient !

sender at Abigail sent you an "e-card"

"Here's the Rub" from 'greeting-cards' !

Click_here_to_view_the_"e-card".

This ecard will be stored for one week, so

print or save the "e-card" as soon as possible.

Hope you enjoy our "e-cards"! Spread the love and send one of our "e-cards"!

Brought to you by 'greeting cards' - a better way to greet!

If you happen to click on “Click_here_to_view_the_e-card, you’ll get sent to this site below (made to look like a legitimate greeting card site, but using stolen graphics), which tells you that your flash player is outdated. If you install this fake flash player, you get two Haxdoor variants — really nasty stuff.

http://www.sunbelt-software.com/ihs/alex/greetingcard_0000001_thumb1.jpg

http://www.sunbelt-software.com/ihs/alex/greetingcard_0000002_thumb1.jpg

We were able to access the website where the malware author is counting the installs done using this scam, and we see about 2,500 installs so far on this. Maybe not a large number, but that’s 2,500 users who may be facing a very unpleasant time.