Security Incidents mailing list archives
RE: E-Card Remote Code Execution Scam
From: <H.Karrenbeld () a1 nl>
Date: Sun, 29 Sep 2002 15:31:52 +0200
The *.cab file contains a file 'potd.dll', googling for it gives this link http://and.doxdesk.com/parasite/Cytron.html. Overthere it's considered a 'parasite' According to the link, it appears to be some module that will install into your IE and pop-up ads based on web pages being visited by the 'infected party'. The E-Card people are, of course, lying that it will -need- this module installed for the E-card to work. $) Henri
-----Original Message----- From: Jonathan A. Zdziarski [mailto:jonathan () networkdweebs com] Sent: Saturday, September 28, 2002 11:25 AM To: incidents () securityfocus com Cc: abuse () thawte com; server-certs () thawte com; abuse () yahoo com Subject: E-Card Remote Code Execution Scam This seems an aweful lot to me like a Remote Code Execution Scam... I received an email addressed to "Undisclosed Recipients" notifying me that I received an E-Card today, so I went to the site http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed] &card=Pick +up to view the card. Oddly, I received a security warning asking me if I wanted to allow some code to run on my machine. Noticing the odd choice of form variables as opposed to other e-card sites (not to mention the fact that I could type in any number and get the same screen), and with an eyebrow now raised I went to the main website http://www.surprisecards.net to find "Welcome to the future home of richardoliver.web.aplus.net". So I figure, if there's no way to send a card from this website then chances are nobody sent me a valid card. I took a look at the Thawte certificate for the card viewer "code" and got www.cytron.com, some no-name development website with nothing more than a phone number. At the moment I'm not in front of any sacrificial machine to test the card out on, but I suspect this email is being mailed out as a scam in an attempt to run arbitrary code on the user's machine using a valid Thawte certificate. What the code does when it loads I've no idea as I'm not dumb enough to try it on my home machine. In summary, my suspicion that this is the case is based on the following: 1. The email was from egreetings () yahoo com, yet was not redirecting me to a yahoo site. (It was in fact coming from a yahoo mail server though). 2. The email was NOT from surprisecard.net 3. The email was addressed to undisclosed recipients 4. There is no medium for sending cards from this site 5. www.cytron.com has no credible information about any card reader product or even the company. Perhaps someone in front of some extra hardware can take this and roll with it. -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- RE: E-Card Remote Code Execution Scam Jason Robertson (Sep 29)
- <Possible follow-ups>
- E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- Re: E-Card Remote Code Execution Scam Jeff Jirsa (Sep 29)
- Re: E-Card Remote Code Execution Scam Axel Pettinger (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam H.Karrenbeld (Sep 29)