More on the greeting card exploit

WebSense writeup here.

We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code. A recent example that came to us from Message Labs appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.