Home
entries friends calendar user info Previous Previous Next Next
My Pet Goat - "To: Dear darling"

Advertisement

07:57 am June 16th, 2006
mrscake
[info]mrscake
Add to Memories
Tell a Friend
"To: Dear darling"
Today, I got a "greeting card" that appeared to be from 123Greetings.com. There were a few suspicious things about it. For one thing, the header was a little strange.

To: Dear darling,

Message: i hope you like this card that i have made only for you

Uh huh. The links didn't point to 123Greeting.com at all. Rather, the link looked like http://1077724866/e-card.html , which would translate to 64.60.198.194 . Sho 'nuff, when I checked that out, the "greeting card" itself was at http://64.60.198.194/GreetingCardNr0410112528543.flash.exe . Riiiiight.

The IP itself mapped to 64-60-198-194.cust.telepacific.net , so I decided to do my good deed for the day by calling Telepacific customer support and reporting an apparent phishing/Trojan scheme associated with a machine on their network. The tech support technician insisted that it was no problem at all; someone had just sent me a greeting card, and I didn't have to open it. I tried explaining that why this *did* seem like a problem, but he didn't seem to be too concerned. Would he have taken me more seriously if I were male? I don't know.

Note: The sender was apparently 80.57.9.62 (g9062.upc-g.chello.nl), which is not designated as a permitted sender by the e-cards@123greetings.com domain. Site Meter

Tags: ,
Current Mood: irate
12 comments or Leave a comment
Comments
Thread started by rodentrage
From: [info]ex_rodentrag913 Date: June 16th, 2006 04:29 pm (UTC) (Link)
But darling, I really did make that card only for you.

(Reply) (Thread)
From: [info]ex_rodentrag913 Date: June 16th, 2006 04:31 pm (UTC) (Link)
And about the male thing, ... he may or may not have taken you more seriously. Low level technicians are morons that are paid $12 an hour. You could put a well-published guy with a PhD in front of him and he probably wouldn't take him seriously.

(Reply) (Parent) (Thread)
mrscake From: [info]mrscake Date: June 16th, 2006 04:43 pm (UTC) (Link)
True - maybe I was a little prickly. Dealing with the guy was pretty frustrating, though.
(Reply) (Parent) (Thread)
From: [info]ex_rodentrag913 Date: June 16th, 2006 08:30 pm (UTC) (Link)
Why do you think I hated CITES so much anyway? It's the same IT department attitude. I suspect it might be amplified 10% for women, but consider also that more women are tech illiterate than men.

I can't back that up with facts, but I suspect it may be true and am asking you to accept the statement on faith. I'm just extrapolating from how it was 20:1 men:women in the college of engineering.

(Reply) (Parent) (Thread)
mrscake From: [info]mrscake Date: June 17th, 2006 12:00 am (UTC) (Link)
Do you suppose Telepacific also has white vans? :)
(Reply) (Parent) (Thread)
mrscake From: [info]mrscake Date: June 16th, 2006 04:42 pm (UTC) (Link)
How sweet of you, darling!
(Reply) (Parent) (Thread)
Thread started by Anonymous
From: (Anonymous) Date: June 18th, 2006 06:39 pm (UTC) (Link)

Me too...
although instead of going about it that way, I just googled 1077724866 and stumbled upon your site.

(Reply) (Thread)
mrscake From: [info]mrscake Date: June 18th, 2006 10:07 pm (UTC) (Link)

Re: Me too...
Thanks. I just got yet another one today, and the Trojan's still up on that site. I sent it to the FTC spam address and will probably go ahead and report it to CERT. It's unfortunate that Telepacific still hasn't done anything about the situation.
(Reply) (Parent) (Thread)
Thread started by Anonymous
From: (Anonymous) Date: June 19th, 2006 01:05 am (UTC) (Link)

I got one, too!
I received the same message this evening, and went through the exact same mental process. Actually, I began by visiting the 123greeting.com site (not following the link, just in a new browser), and was completely unsurprised that their site reported the link as an invalid card number.

I also noticed that the link was misdirected to download a file from a distinctly non-123greeting.com-related IP address. And while the link looked like [somethingsomethingsomething].flash, the file that came down the pipe was [somethingsomethingsomething].flash.exe. As one nice touch, the icon associated with the file is a nice, professional-looking rose.

Oddly, both Symantec Antivirus and Ad-Aware seem to see no problem with the file.

My analysis will continue - feel free to email me with info: djs10@po.cwru.edu - or visit my website: www.djstein.com

- David Stein
(Reply) (Thread)
mrscake From: [info]mrscake Date: June 19th, 2006 07:39 am (UTC) (Link)

Re: I got one, too!
Thanks - my followup post is at http://mrscake.livejournal.com/168996.html
(Reply) (Parent) (Thread)
Thread started by N
greenday_gd From: [info]greenday_gd Date: June 19th, 2006 11:48 pm (UTC) (Link)
I downloaded it. *Cries* I can't believe I was so stupid. Do you know anyway I can get it off at all?

Thank You. =]

P.S- I also logged the IP on the file while it was downloading.
(Reply) (Thread)
mrscake From: [info]mrscake Date: June 20th, 2006 12:57 am (UTC) (Link)
I put some suggestions up at http://mrscake.livejournal.com/169815.html . Bear in mind that I'm not a security expert.
(Reply) (Parent) (Thread)
12 comments or Leave a comment
profile
MrsCake
User: [info]mrscake
Name: MrsCake
calendar
Back January 2009
123
45678910
11121314151617
18192021222324
25262728293031
links
Ping Technorati
C-U Wireless Network
IlliniPundit
Graduate School of Library and Information Science
Gamera Gabs
Electronic Frontier Foundation
Electronic Privacy Information Center
Science Commons
Directory of Open Access Journals
Public Library of Science
CU Liberal
CatPeople
Champaign County Democrats
Frogs and Crowbars
Go Retro with Edna Millions
It's Matt's World
Lally Andreevna
Lone Tree on the Prairie
Maladjusted
Me First!
Mediocrity Inaction
NarciBlog
Open Minds and Open Hearts
Out of the Forest
The Padded Podium
Politics by Reason
Reports from the Edge
Running from the Thought Police
This Just In
Urbanagora
GCT13 (C-U Photoblog)
page summary
tags

Advertisement

Customize