Skip to main content

Seen in the wild: Example greeting card scam

Faithful blog reader Jack Duggan sent me this little example of greeting card malware:

Date: Tue, 26 Sep 2006 18:37:33 +0000

From: Abigail

Subject: You've got an "e-card" at

Reply-to: Abigail

User-Agent: Mozilla 4.73 [en]C-SYMPA (Win98; U)

Original-recipient: rfc822;

Dear recipient !

sender at Abigail sent you an "e-card"

"Here's the Rub" from 'greeting-cards' !


This ecard will be stored for one week, so

print or save the "e-card" as soon as possible.

Hope you enjoy our "e-cards"! Spread the love and send one of our "e-cards"!

Brought to you by 'greeting cards' - a better way to greet!

If you happen to click on “Click_here_to_view_the_e-card, you’ll get sent to this site below (made to look like a legitimate greeting card site, but using stolen graphics), which tells you that your flash player is outdated. If you install this fake flash player, you get two Haxdoor variants — really nasty stuff. (opens in new tab) (opens in new tab)

We were able to access the website where the malware author is counting the installs done using this scam, and we see about 2,500 installs so far on this. Maybe not a large number, but that’s 2,500 users who may be facing a very unpleasant time.

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.