— Your “secret admirer” just sent you an electronic Valentine’s Day card and you can’t wait to find out who it’s from. Think twice before you do that. Your computer could wind up with a digitally transmitted disease.
Hackers use anonymous electronic greeting cards to sneak their malicious software onto unprotected computers. They want you to click on the link in the e-mail or instant message to retrieve your e-card. That will send you to their web site which has malware waiting to be downloaded.
"An anonymous e-card always piques your curiosity,” says Seth Caplan of Los Angeles. He believes he got a virus on his machine when he clicked a link to retrieve a card from an unknown sender. Luckily, he was able to remove the infection with antivirus software. “I’m definitely more careful with e-cards now,” Caplan says. “I’m a lot more vigilant.”
Once a computer is infected, it can quickly spread the malicious code. That’s what happened at Augusta State University. According to the school’s web site, a campus-wide outbreak took place last month after a couple of students were fooled by malicious e-mail made to like it was from Hallmark. It wasn’t.
“This particular malware appeared to take advantage of a user’s e-mail address book in order to send replications of the e-card message,” writes Damon Armour, the school’s IT security officer. “As you can see, it only takes a few users to quickly spread the malware across campus.”
“Electronic cards are nice, but caution is the word of the day,” says Howard Schmidt, an internationally recognized expert on cyber security. Schmidt tells me if he gets an e-mail alert and it doesn’t show the name of the person who sent the card or if he doesn’t recognize the sender’s e-mail address, he deletes it right away.
If the link is bogus and you land on a rogue site, the malware the scammers load on your computer “can give them a constant back door into your system,” Schmidt warns. They can turn your computer into a zombie that sends out spam or they can install a program that will “harvest” your passwords and account numbers when you shop or bank online. That information could be sent to a server somewhere in the world where it will be used to run up charges on your credit card, drain your bank account and commit identity theft.
Bad guys always follow the crowd
Electronic cards are still a small, but growing part of the greeting card market. Last year, about 500 million e-cards were sent worldwide.
E-cards have a lot going for them. They’re environmentally friendly, relatively cheap (or free), and you can send them at the last minute.
The industry knows cyber-thieves use fake greeting cards to deliver their malicious software. “We’ve been working with the FBI for two years now,” says Barbara Miler with the Greeting Card Association. “We encourage people to report e-card fraud to them.”
Some of the bogus sites look very legitimate. The card above, left, with rows of hearts, looks cute and harmless. It asks the question, “Guess which one is for you?” Kurt Baumgartner, vice president of behavioral threat research at PC Tools, an internet security firm, says if you go to the site your computer will be infected with the Waledac worm that could clog up your machine and do other nasty things.
“This Web site can exploit any sort of vulnerability that’s on your machine,” Baumgartner explains. Once that vulnerability is found, the site will download and install the worm that lets the bad guys control your system. What’s really scary is you’d probably never know it.
Researchers at McAfee, the well-known Internet security company, say spammers started sending bogus Valentine card e-mail alerts earlier this year. The first ones were spotted January 22. Many of them contain messages such as “Deeply in love with you,” and “Only you in my heart.”
One of the newest scams involves an e-mail offering a free development kit that supposedly lets you create your own Valentine e-cards. The message features a pair of adorable Shih Tzu puppies (see above, right). Clink on the link to get the kit and you’ve just infected your computer.
Start by having good security software that you update every day. And be sure to get the latest updates and patches for all your software, especially those vulnerable plug-ins.
Never click a link in a greeting card alert unless you recognize the name of the sender or the e-mail address. Consider all anonymous cards dangerous. Never open an attachment that supposedly contains a greeting card. E-cards are no longer sent this way.
All legitimate e-cards give you the full name or e-mail address of the sender. Unfortunately, this is not foolproof. The bad guys can now spoof the name and e-mail address of someone you know by stealing information from computer address books.
The only way to be 100 percent safe is to call or e-mail the person who supposedly sent the card to make sure they did. Or you can retrieve the e-card from the publisher’s web site without clicking on that link.
Here’s something you can do when you send an e-card. E-mail the recipient to let him or her know that a card is on its way and safe to open. Or you can get the URL of the card when you are on the greeting card web site and include that in your e-mail.
Yes, all of this is a real pain – but unfortunately that’s the world we live in.