Greeting card attacks resurface

'Hallmark' cards deliver nasty message

Security experts are warning users to be vigilant following a new round of fake greeting card attacks.

The spam messages purport to be greeting cards from Hallmark, and inform the user that they have been sent an e-card.

The email contains the same graphics used by the Hallmark site, appearing at first to be genuine. Unlike authentic Hallmark e-cards, however, the fake greetings contain an attachment.

When the user loads the .zip file, the attack begins. The Trojan .zip archive unpacks a an executable known as 'postcard.exe' as well as a run key to the Windows registry.

On restart, the run key automatically launches the malicious executable. The program adds the user to a remotely-controlled IRC botnet and then accesses the user's contact list to send out new attack emails.

The greeting card attack is hardly a new concept. The infamous Storm worm has made a regular habit of sending fake greeting cards at major holidays in an effort to expand its botnet. The tactic is extremely effective, as shown by its longevity.

"As long as recipients continue to fall for these old tricks, malware authors and spammers will continue to use them," said Matt Sergeant, a senior anti-spam specialist at MessageLabs.

Experts advise users to be wary of unsolicited or unexpected greeting cards, and never to open attachments in suspicious emails.