E-Greeting Card Giant Unaffected By Storm Worm
It's been nearly three weeks since I first wrote about the Storm worm authors using fake online greeting cards to trick people into clicking on links to Web sites that try to download and install malicious software. Since then, it looks like the Storm worm authors have adopted a number of other ruses, but they don't appear to have abandoned the greeting card scam.
I wanted to know whether this flood of fake, Storm worm-infested e-greeting cards had had any effect on the legitimate e-card business, and hence the willingness of people to click on links in unsolicited e-mails (a practice that Security Fix has been critical of in the past).
So I phoned American Greetings, which owns without a doubt the biggest e-greetings company around. According to AG spokesperson Frank Cirillo, the incessant attacks have had little measurable impact on the company's click-through rates.
"We haven't seen any [changes] to reflect any kind of real movement either way," Cirillo said of the company's click-through rates over the past month.
This, to me, suggests a couple of things: 1) Most legitimate e-card recipients are still unaware enough about this trend that they continue to click, thereby feeding what is quickly shaping up to be one of the biggest e-mail worm outbreaks of all time; and 2) Most people are still unaware enough of this recent malware trend that they feel perfectly comfortable conditioning their friends and loved ones to click on links in random e-mails.
To be fair, American Greetings has instituted something of a security mechanism in all e-greeting cards sent over its network, which allows the recipient to verify that the card is real without clicking on any link. However, I find it unlikely that most people would take advantage of this feature, as it requires recipients to type out a long, complex URL and code. For example, I recently e-mailed myself an e-greeting from American Greeting's Web site. The text I received included this message:
"For your security, if you'd prefer not to click on links within this email, please type: http://www.americangreetings.com/ecards/findit.pd?source=ag999&rr=z into your web browser and enter the following number, 4446713713316, on our ecard pick up page."
Instead of directing people to enter an overly complex link, the company might do Internet users a better service by highlighting the fact that you can retrieve an e-card from the "search ecards" form placed prominently in the upper left hand portion of its home page. To get there, AG should simply be asking people to type "www.ag.com" into their browser (ag.com also takes you to American Greetings's official site), and then cut and paste the code into the Web page.
By Brian Krebs |
September 6, 2007; 8:52 AM ET
From the Bunker
,
Latest Warnings
,
Misc.
,
Safety Tips
Previous: A Time-to-Patch: Apple 2006 |
Next: Apple iTunes Update and Patch Tuesday Preview
Posted by: rjrjj | September 6, 2007 10:51 AM
While I do not get as many fake e-mail greetings now as I did a few weeks ago, I still get one once in a while (wish the fake Nigerian scam messages would drop off as much). I sent a legitimate e-card to a friend, who quickly asked me to verify I had sent a card. Those who sent the malicious fake cards had nothing to gain but screwing up other people, but to some, that is its own reward, and some will continue to justify the practice (e.g., it increases security practices). The fact that it may actually hurt someone in their work or personally seems irrelevant to some.
Posted by: Steve | September 6, 2007 11:44 AM
Brian, I think you overlook 3) the Storm-based greeting emails (and possibly legitimate greeting emails as well) are being filtered out of the mail stream by anti-malware components so users aren't even seeing many/most of them.
Posted by: antibozo | September 6, 2007 1:08 PM
@antibozo: I have to disagree with you, at least from what I'm seeing.
A quick look inside my Postini inbox, which filters e-mail worms like Storm before they even get to washingtonpost.com's mail servers, shows that I received more than a dozen Storm-infected emails in the past 12 hours alone. But I doubt most home users have this sort of filtering being done for them.
Posted by: Bk | September 6, 2007 1:33 PM
I have my Email set up so that if I don't have your name on My Buddy List (Address Book), it goes into my spam folder. I then have the option of either deleting the message or clicking "This Is Not Spam". Most of what comes in there is deleted.
I have noticed in the past several weeks many invitations to open egreeting cards, also I've 'won' or 'inherited' a lot of money! Man! Wish I could collect some of it. Eat your heart out, Bill Gates! :)
For my greeting cards, I use http://www.jacquielawson.com based in Somerset, UK. I hope she's aware of this storm worm. Maybe I'll send her the information, just to be sure.
Posted by: PeteBB | September 6, 2007 2:10 PM
P.S.
Like you, I think some of those links, that you have to type into your browser, are ridiculously long. Oftimes I will ignore it, just for that reason. I'm lazy :)
Posted by: PeteBB | September 6, 2007 2:16 PM
Bk> A quick look inside my Postini inbox, which filters e-mail worms like Storm before they even get to washingtonpost.com's mail servers, shows that I received more than a dozen Storm-infected emails in the past 12 hours alone.
Perhaps, but that's anecdotal. And did you mail client post-filter any of those into a spam folder?
Bk> But I doubt most home users have this sort of filtering being done for them.
Well, I think it's hard to say.
It would be good to have numbers from the Postini, Brightmail, etc. vendors on number of messages filtered on gateways, as well as from the anti-virus vendors on signature volatility. And bear in mind that email within an organization may not receive the same type of filtering as externally originated email.
In any case, I wouldn't expect the commercial greeting card people to really be able to report on this right now. The signal would show up when there's a major holiday. My guess is that the birthday/anniversary type greetings comprise a tiny fraction of the volume on, say, Christmas or Valentine's Day. And Labor Day isn't a big greeting card date. :^)
Keep up the good work, Brian!
Posted by: antibozo | September 6, 2007 3:37 PM
I do also continue to send ecards. But the ecard site that I use is www.ojolie.com. It offers artistic animated ecards similar to www.jacquielawson.com.
I still think that the fake ecards should definitely affect the sending of ecards. But maybe by the winter holiday season (the biggest season for greeting cards, paper or electronic), people have been educated enough to feel comfortable sending ecards again. At least I hope so. Otherwise, my friends and family will not open my Christmas ecards. The cost of sending only paper cards to everyone can quickly adds up:-)
Posted by: Julie | September 6, 2007 5:59 PM
@PeteBB For the record, AG's subsidiary that handles the greeting card sites (http://www.aginteractive.com) also owns & handles www.jacquielawson.com :)
Posted by: BWS | September 7, 2007 8:21 AM
There is NO NEED to "type" the whole URL address - all you have to do is highlight with your mouse, copy and paste in the address bar! So simple!
Posted by: Sandi | September 7, 2007 4:36 PM
I WILL CEASE POSTING ON WASHINGTON POST IN THE COMMENTS SECTION UNTIL SUCH TIME AS THE WASHINGTON POST RETURNS TO ITS FORMER POSTING FORMAT. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Posted by: BRUCEREALTOR@GMAIL.COM | September 7, 2007 7:21 PM
@Bk: I agree. For the black hats wouldn't be doing this if there wasn't money in it. Also people could always select, copy, and paste a URL in. Or how about checking the status bar on most any browser for identity with the offered URL? All of these ruses work because people don't think. Kindly read this LOVELETTER.txt.vbs and so forth.
Posted by: Rick | September 8, 2007 4:42 PM
I LOVE YOU NILANTHI
Posted by: NILANTHI | September 9, 2007 9:33 PM
@ BRUCEREALTOR@GMAIL.COM
What? The former format doesn't allow a long string of exclamation points?
Posted by: Pete from Arlington | September 10, 2007 12:07 PM
The comments to this entry are closed.
I have used the Hallmark ecards in the past, but after the spammers started with the ecards, have stopped sending them. I just went to the Hallmark site and sent myself an ecard. They send the recipient an easy link as well as the very lengthy url. The email message looks very commercial, unlike the messages sent by the spammers; however, if someone has set up a filter stopping ecards, the Hallmark ones will also be treated as junk. Perhaps Hallmark and American Greeting should use a different subject line with their cards. Too bad the spammers have utilized the ecards -- I sure get a kick out of "Hoops and YoYo!"