Truth 33 Fake e-card greetings

When I was first dating my wife, I remember receiving an e-card from her. I clicked the link, and it brought up a Web page that played a short video of a dancing dog expressing its love for me. While it was a little corny, it was funny, and I was amused. For those who have never received an e-card, my assumption is you are probably already married. This assumption is based on my own life, in which once I said, “I do,” the e-cards stopped.

You are sitting at your computer and a new email comes in. The subject line reads, “You have a Hallmark e-card greeting!” It’s from [email protected], and the letter invites you to click on the link provided in the note to see your card.

You click on the link, and the Hallmark Web site comes up with the familiar logo, as well as several menu options for the online store and more. In the middle of the page, you notice an error message in bold that reads, “To use this product, you need to install free software.” The message provides simple instructions.

After following the instructions and clicking Refresh, your e-card begins to play. The card ends with a note telling you that you have a secret admirer who thinks you’re neat. Unfortunately, the only person who thinks you’re neat right now is your identity thief.

When I was writing this book, I sometimes thought that you might be reading each Truth in the same way that I watch a magician at the mall. My goal is to spot the exact moment the trick takes place. He points at something with his left hand while his right hand quickly slips in and out of his pocket. Everyone is supposed to be watching the left hand, but for those who don’t follow the misdirection, they think, “A-ha! It just happened with that right hand.”

I think something similar happens in these bogus Web sites. You read the page and see that you are directed to install software. You should be thinking, “A-ha! There it is. There is the hand in the pocket.” But much like the magician at the mall, the misdirection is set the minute you lose focus on the potential risk and instead focus on the excitement of a secret admirer.

While it’s true that you did indeed receive an e-card and eventually it really is coming from Hallmark, the attack happened in between.

I have re-created this attack by visiting Hallmark’s site, creating an e-card from a secret admirer, and sending it to myself. I then created my own Web site, which is a carbon copy of Hallmark’s Web site. The only difference is that the real Hallmark store is located at hallmark.com, while I used the link hallmark-ecard.com. Then I sent emails to my victims, who followed the link to my Web site.

My site looks to see if the “special software” is already loaded. If not, the user is instructed to load it. If the software is installed, the user has fallen victim to my attack before, so my Web site simply redirects him to the real Hallmark Web site and points him to the video that I had originally sent from the secret admirer.

When the user chooses to load that software that was supposed to be the Hallmark Video Viewer, he is really loading malicious software that is designed to compromise the computer. Through the years, I have used numerous payloads depending on who was being targeted. If I am attacking a home user, my goal is to load software that captures his keyboard strokes. This allows me to record usernames and passwords tied to online applications, including online banking. The software may also steal cookies and other files from the victim’s computer.

When attacking an organization, my goal is often to gain access to the corporate network. Since most organizations have software in place to stop a hacker from getting into the network via the Internet, it makes far more sense to target employees and have them open the access from the inside. When the employee loads the Video Viewer software on his computer, it “calls home” using a technique known as a reverse Telnet.

While the technical details are not relevant, the ultimate outcome is the user’s computer starting what appears to be a Web connection from his computer with a computer on the Internet. When the connection is made, the computer then hands control of that connection to the receiving computer on the Internet, often with full administrator access. This means that the hacker is now sitting at the malicious computer on the Internet and can start typing commands. Whatever is typed is run on the user’s computer at the organization. This allows a hacker to not only steal data from that computer, but also use that computer as a launching point to attack other computers on that internal corporate network.

Through the years, I have used this particular attack thousands of times against both home users and employees at corporations with over a 95 percent success rate.

While these attacks can be devastating, they are fairly easy to prevent.

Never install software unless you are absolutely certain you know what it does and who created it. This will be your hardest rule to follow since there are times you are required to load software when visiting Web sites.

When installing software, watch for publisher security alerts. When you elect to install a program in Windows, a security warning appears telling you who published and certified the product. If the warning reads “Unknown Publisher,” it’s the only warning that Microsoft can give you that you may not want to trust this product. If you choose to continue to install, you are taking complete responsibility.

Even having a validated publisher doesn’t guarantee the software is safe. In fact, a number of malicious codes have received valid certificates. If you are suspicious, I would suggest following that gut instinct and choosing not to load it.

By default, an email from Hallmark contains the real sender’s email address. If the email comes from an unknown source, don’t open it.

This attack is not exclusive to Hallmark and can be done with any site that contains any kind of multimedia. Much like phishing, when you receive any link in an email, you need to immediately be suspicious.