Cyber Criminals Using eCards to Deliver Malicious Rootkit and Keylogger Exploits

A major cyber criminal ring was discovered by researchers at Exploit Prevention Labs recently. The crime ring, operating in Australia, used what appear on the surface to be Yahoo! Greetings eCards to infect thousands of computer users with malicious keylogger malware, which was then used to steal credit card numbers, bank account usernames and passwords, and other personal information. Although the total number of affected users remains unclear, researchers were able to confirm that accounts at nearly every Australian bank were affected. The researchers quickly contacted Australian police authorities, who coordinated with banks and other institutions to protect affected users.

Earlier this week, further evidence that malicious eCard spammers have expanded their operations beyond Australia and Yahoo! Greetings was discovered, with confirmed targets in North America, Europe and Asia using a variety of eCard supplier accounts.

The Australian eCard scammers placed a malicious hyperlink in the email, which first sends the user's web browser to an exploit server. The exploit server checks to see if the user's web browser has been patched for the latest software vulnerabilities, and if it's unpatched, the server silently force-downloads a rootkit and a keylogger onto the user's computer before redirecting the web browser to an authentic Yahoo! Greetings card.

The actual exploit, known as MDAC, has been gaining in popularity among cyber criminals. The MDAC exploit code is launched by a WebAttacker script, which was developed by Russian cyber criminals. According to Exploit Prevention Labs WebAttacker is the most prevalent Internet-borne exploit generator; it was also behind the new VML exploit.

Systems that are up to date on patching should not be vulnerable to the original version of this eCard exploit, but the latest version of the eCard scam is significantly different, and is indicative of an escalation of the threat.