E-Card Remote Code Execution Scam

From: Jonathan A. Zdziarski (jonathanat_private)
Date: Sat Sep 28 2002 - 02:25:12 PDT

Next message: skipperat_private: "Re: AIM-based worm?"

Previous message: Jonathan A. Zdziarski: "RE: E-Card Remote Code Execution Scam"
Next in thread: Jeff Jirsa: "Re: E-Card Remote Code Execution Scam"
Reply: Jeff Jirsa: "Re: E-Card Remote Code Execution Scam"
Reply: Fulton Preston : "RE: E-Card Remote Code Execution Scam"
Reply: H.Karrenbeldat_private: "RE: E-Card Remote Code Execution Scam"
Reply: Axel Pettinger: "Re: E-Card Remote Code Execution Scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This seems an aweful lot to me like a Remote Code Execution Scam...

I received an email addressed to "Undisclosed Recipients" notifying me
that I received an E-Card today, so I went to the site
http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick
+up to view the card.  Oddly, I received a security warning asking me if
I wanted to allow some code to run on my machine.  Noticing the odd
choice of form variables as opposed to other e-card sites (not to
mention the fact that I could type in any number and get the same
screen), and with an eyebrow now raised I went to the main website
http://www.surprisecards.net to find "Welcome to the future home of
richardoliver.web.aplus.net".  So I figure, if there's no way to send a
card from this website then chances are nobody sent me a valid card.

I took a look at the Thawte certificate for the card viewer "code" and
got www.cytron.com, some no-name development website with nothing more
than a phone number.

At the moment I'm not in front of any sacrificial machine to test the
card out on, but I suspect this email is being mailed out as a scam in
an attempt to run arbitrary code on the user's machine using a valid
Thawte certificate.  What the code does when it loads I've no idea as
I'm not dumb enough to try it on my home machine.

In summary, my suspicion that this is the case is based on the
following:

1. The email was from egreetingsat_private, yet was not redirecting me
to a yahoo site.  (It was in fact coming from a yahoo mail server
though).  

2. The email was NOT from surprisecard.net

3. The email was addressed to undisclosed recipients

4. There is no medium for sending cards from this site

5. www.cytron.com has no credible information about any card reader
product or even the company.

Perhaps someone in front of some extra hardware can take this and roll
with it.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: skipperat_private: "Re: AIM-based worm?"
Previous message: Jonathan A. Zdziarski: "RE: E-Card Remote Code Execution Scam"
Next in thread: Jeff Jirsa: "Re: E-Card Remote Code Execution Scam"
Reply: Jeff Jirsa: "Re: E-Card Remote Code Execution Scam"
Reply: Fulton Preston : "RE: E-Card Remote Code Execution Scam"
Reply: H.Karrenbeldat_private: "RE: E-Card Remote Code Execution Scam"
Reply: Axel Pettinger: "Re: E-Card Remote Code Execution Scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 28 2002 - 17:44:08 PDT