RE: E-Card Remote Code Execution Scam

[<H.Karrenbeld () a1 nl>]

The *.cab file contains a file 'potd.dll', googling for it gives this
link http://and.doxdesk.com/parasite/Cytron.html.

Overthere it's considered a 'parasite'

According to the link, it appears to be some module that will install
into your IE and pop-up ads based on web pages being visited by the
'infected party'.

The E-Card people are, of course, lying that it will -need- this module
installed for the E-card to work.

$) Henri

> -----Original Message-----
> From: Jonathan A. Zdziarski [mailto:jonathan () networkdweebs com]
> Sent: Saturday, September 28, 2002 11:25 AM
> To: incidents () securityfocus com
> Cc: abuse () thawte com; server-certs () thawte com; abuse () yahoo com
> Subject: E-Card Remote Code Execution Scam
>
>
> This seems an aweful lot to me like a Remote Code Execution Scam...
>
> I received an email addressed to "Undisclosed Recipients" notifying me
> that I received an E-Card today, so I went to the site
> http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]
> &card=Pick
> +up to view the card.  Oddly, I received a security warning 
> asking me if
> I wanted to allow some code to run on my machine.  Noticing the odd
> choice of form variables as opposed to other e-card sites (not to
> mention the fact that I could type in any number and get the same
> screen), and with an eyebrow now raised I went to the main website
> http://www.surprisecards.net to find "Welcome to the future home of
> richardoliver.web.aplus.net".  So I figure, if there's no way 
> to send a
> card from this website then chances are nobody sent me a valid card.
>
> I took a look at the Thawte certificate for the card viewer "code" and
> got www.cytron.com, some no-name development website with nothing more
> than a phone number.
>
> At the moment I'm not in front of any sacrificial machine to test the
> card out on, but I suspect this email is being mailed out as a scam in
> an attempt to run arbitrary code on the user's machine using a valid
> Thawte certificate.  What the code does when it loads I've no idea as
> I'm not dumb enough to try it on my home machine.
>
> In summary, my suspicion that this is the case is based on the
> following:
>
> 1. The email was from egreetings () yahoo com, yet was not redirecting me
> to a yahoo site.  (It was in fact coming from a yahoo mail server
> though).  
>
> 2. The email was NOT from surprisecard.net
>
> 3. The email was addressed to undisclosed recipients
>
> 4. There is no medium for sending cards from this site
>
> 5. www.cytron.com has no credible information about any card reader
> product or even the company.
>
> Perhaps someone in front of some extra hardware can take this and roll
> with it.
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com