Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have warned of
a widespread email spam campaign that poses as a 4th July greeting
card, but is really an attempt to lure innocent computer users into
being infected by a Trojan horse and attacked by hackers.
The emails, which are being seen in inboxes worldwide, claim
that the recipient has been sent an ecard greeting by a friend and
tells the user to click on a link to view the card.
The emails pretend to be electronic Fourth of
July greeting cards.
Subject lines used in the malicious spam campaign include:
4th Of July Celebration
American Pride, On The 4th
America's 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday
Clicking on the link contained inside the email, which is in the
form of a numeric IP address, takes surfers to a compromised zombie
computer hosting the Troj/JSEcard-A Trojan
horse. The Trojan horse then tries to download additional code from
the internet which Sophos intercepts as Mal/Dorf-C.
"Cybercriminals have no qualms about taking advantage of
celebrations like 4th July to infect innocent people's computers,
and potentially steal their indentities. This isn't just an
American problem - these kind of attacks strike around the world,
and are designed to abuse PCs around the globe," said Graham Cluley, senior
technology consultant at Sophos. "People regularly send egreetings
to friends and colleagues, so it is important that everyone is on
their guard against these kind of attacks and ensures their
computers are properly defended."
The July 4th spam emails are sent from
compromised computers around the world. This image shows a snapshot
of PCs in the USA that have relayed the spams in a snapshot of just
a couple of seconds. IP addresses have been blanked out.
"Rather than being sent to a real ecard website when you click
on the link you are visiting someone else's compromised computer
which is hosting malicious code designed to infect your Windows PC.
It is these same computers, based all around the world, which are
spewing out spam," continued Cluley. "Web links which use IP
addresses are a set of four numbers in the format xxx.xxx.xxx.xxx.
A real ecard company is unlikely to send you emails which use links
like that, so that should set alarm bells ringing instantly."
Sophos has been protecting customers against the JSEcard-A
Trojan horse since 29 June 2007, and the Mal/Dorf-C Trojan since
16:01 GMT on 3 July 2007.
Sophos recommends companies automatically update their corporate
virus protection, and run a consolidated
solution to defend against malware, spyware, hackers and
spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.