Father's Day Surprise!

Father's Day [in the UK] fell on Sunday the 17th of June and along with the usual cards and presents from my wife and son I received an e-card, which I wasn't expecting.

Here is a screenshot of the e-mail I received:



The link, as you might expect actually goes to a different site than the 'AmericanGreetings.com', in fact at the time I received it, it went to 'americangreetingsc.net 'and a second one I received a few minutes later went to 'americangreetingsc.org'. Did you notice the appended 'c'?

Here's a screenshot of the website, asking you to download 'Flash Player', which is actually malware:



Interestingly, if you go to the site afterwards, you see a real Father's Day e-card from AmericanGreetings.com. I suspect that they are using a cookie or other tracking method to work out if you have already been to the site before, and change the page behaviour to suit. Very sneaky, although not a new trick as I reported on the same trick back in February!

Here's a screenshot of the website, showing what you will see when you reload the page or return to the site again:



The 'fake' Flash Player is now detected by most AV vendors. List below, correct at time of posting:

Scan report of: install_flash_player.exe
@Proventia-VPS -
AntiVir TR/Dldr.Small.eog.4
Avast! Win32:Small-FED [Trj]
AVG -
BitDefender Trojan.Downloader.Agent.YCL
ClamAV Trojan.Downloader-9530
Command -
Dr Web Trojan.DownLoader.22389
eSafe Win32.Small.eog
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Small.eog
F-Prot -
F-Secure Trojan-Downloader.Win32.Small.eog
F-Secure (BETA) Trojan-Downloader.Win32.Small.eog
Fortinet W32/Small.IAU!tr
Fortinet (BETA) W32/Small.IAU!tr
Ikarus Trojan-Downloader.Agent.YCL
Kaspersky Trojan-Downloader.Win32.Small.eog
McAfee Generic Downloader.k trojan
McAfee (BETA) Generic Downloader.k trojan
Microsoft -
Nod32 -
Norman W32/DLoader.CXCE
Panda Trj/Downloader.OUX
Panda (BETA) Trj/Downloader.OUX
QuickHeal TrojanDownloader.Small.eog
Rising Trojan.DL.Win32.Mnless.e
Sophos Troj/DwnLdr-GVP
Symantec Downloader
Symantec (BETA) Downloader
Trend Micro TROJ_SMALL.IAU
Trend Micro (BETA) TROJ_SMALL.IAU
VBA32 Trojan.DownLoader.22389
VirusBuster -
WebWasher Trojan.Dldr.Small.eog.4
YY_A-Squared -
YY_Spybot -

I will be writing about the current glut of fake e-cards again later this week as the 'Bad Guys and Girls' seem to be using this as their preferred social engineering technique at the moment, sometimes with hilarious or very messy results...