Don't know about you, but I've always considered e-card notifications a prime vector of attack.
It'd go like this: "Hey someone you love or who loves you sent you a nice card, click here." And when you click, you might get directed to a site that looks like an e-card site but really it's just installing malware on your machine - malware like key loggers, the most common form of malware researhers are finding in the wild these days.
This risk is why I've never taken to such services that require a user to click here or go there to receive something. And, on Friday, I'm verbalizing to the CEO of our startup, The Security Consortium, because I'd just gotten one of these e-Card notifications.
As I'm musing to him about my suspicions, he links to the SANS Internet Storm Center and sure enough, the e-Card notification I'd showed him was just such a malicious mailer exploit which by June 28 had infected hundreds of thousands of computers, according to SANS.
Its payload is to turn your computer into a spambot, wherein it's used to send spam all over the place when you're not looking.
Since I've gotten two of these e-Greeting card soliciations since Friday, I can only assume it's still spreading like crazy out in the wild. So here's your warning:
Whatever you do, DO NOT click the link in any emails saying "someone" or "a relative" or "a mate" has sent you an e-card, click here.
If you click the link these will take you to a popup that says, "We are currently testing a new browser feature. If you are not able to view this ecard, please click here (/ecard.exe) to view in its original format."
Your computer is infected after that, and it will go out and get other bad code installed on top of the first round of bad code and so on and so on.
So, just how can you tell a real e-card from a fake e-card notification?
Mark Kadrich, my startup's CEO, says e-card makers had better include in the notification mailer the name of the person submitting the e-card at the very least. But even if e-cards included that info, I'm thinking that the attackers will then just modify it to stolen address books.
Another practical solution: Type in the name of the e-card company into your browser - not by following the link but typing www.greetingcard.com in the URL space. When I do that, my browser says the page doesn't exist, which is enough for me to not want to look further.
And the fight goes on.
Meanwhile, I've pasted a sample of one of the e-card notification scam mails below for your reading enjoyment:
Date: Sat, 30 Jun 2007 14:25:55 +0200
Subject: You've received a greeting card from a school friend!
Your school friend has sent you a greeting card from greetingcard.org.
Send free ecards from greetingcard.org with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.
To view your ecard, choose from any of the following options:
Click on the following Internet address or
copy & paste it into your browser's address box.
Copy & paste the ecard number in the "View Your Card" box at
Your ecard number is