Warning; Trojan in Email Link: You've received a greeting postcard from a family member!
If (rather, when) you receive an email with a subject line that matches or closely matches this:
You've received a greeting postcard from a family member!
or
You've received a postcard from a family member!
DELETE IT! These messages are sent from infected computers and contain links to go to a web page that is hosted on some poor schmuck's personal computer, on a broadband ISP connection, possibly with a static IP address. That web page contains exploit code that is used to download a Trojan Horse remote control program onto your computer. The bait is that a "family member" has just sent you a (greeting) postcard and there is a link to copy and paste into your browser's address bar (or to click on). If you mouse over that link you will see the numeric IP address in it. I have analyzed several of these recent spam messages and learned that they either point to a .hk (Hong Kong) domain, or a numeric IP address, followed by a question mark and a long group of hexidecimal characters (referred to as your card's claim number). The destinations are usually US based broadband customers' home computers that have had a (proxy) server surreptitiously installed, without the owner's knowledge. The one's I have looked at use a freeware server called "nginx." The web page they serve up contains a link to a copy of the Trojan program and deals with both people lacking and people having JavaScript enabled browsers. If you visit the link without JavaScript you will see a message that if you don't see your card you should click on a link. That link goes directly to an infected file on the hijacked computer. If you visit the page with JavaScript enabled you will be in danger of becoming infected by the JavaScript exploit that is encoded into a huge line of hostile code.
My advise, other than not even opening messages with the above mentioned subject lines, is to keep updated anti virus (and anti Trojan) and anti spyware programs running at all times on your computers. If you use Outlook (Express) or a similar stand alone email client you should add a spam/virus screening front-end program, like MailWasher Pro, which I use. MailWasher Pro uses a combination of an intelligent learning filter, blacklists of known spam, a virus detector, plain text display of messages and source codes, and best of all - user configurable filter rules. I have authored two sets of custom MailWasher filter rules. My filter rules are updated frequently to respond to the latest spam and scam threats and are available online, on my MailWasher Filters page. It was the ability to read incoming email source codes in MailWasher Pro that allowed me to discover the nature of these greeting postcard threats.
I hope this saves somebody from the misery of having their computer taken over due to ignorance and unpreparedness. Stay alert and keep your anti malware defenses running and up to date at all times. Assume that "they" are out to get you, because they are! If you receive a notice from your ISP that they suspect that your computers are sending out harmful messages - have the computers checked for proxy servers. Stay off-line until all vestiges of such programs have been completely removed, then equip your computers with the best security programs you can afford. There are links all over this page and others of mine for Spy Sweeper, Spyware Doctor, Norton Anti Virus and other similar products. Some offer a free trila, so use it, then purchase a subscription. Don't let your computers become unwitting members of zombie BotNets for use as spam/virus relays, or hosts for spamvertised websites.
The viewable text on the zombie computer's web page is, or is similar to:
We are currently testing a new browser feature. If you are not able to view this ecard, please click here (link codes removed) to view in its original format. That link would go directly to a file that has been placed onto the compromised computer and it will probably infect your computer unless your defenses are among the best in the industry.
One of the simplest ways to protect against getting infected in the first place is to not run as a computer administrator on your daily browsing account. The impact of any virus, or Trojan, or any malware threat is limited in scope by the privileges of the logged in user. Users running with reduced privileges will be less impacted, if at all. See my blog article about using reduced user privileges to protect against malware threats.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.