Email security: would you open this?

I don't get much spam or such, but received this today.

http://www.urs2.net/rsj/computing/imgs/postcard_agent.gif


Do you use e-cards? If so, How do you decide if it is legitimate or not? Would you open this one?

What if someone wanted to send/receive e-cards between friends. What would you advise?

--> Never use them because of possible malware attached?

--> Or, Yes, but ____________ (suggest how to be safe).
​

My email program displays as text only, so I have to open in the browser to see it.
In this one, hovering the mouse over the hyperlink reveals a spoof:

http://www.urs2.net/rsj/computing/imgs/postcard_opera.gif

If someone did click on the link not realizing that it would attempt to download an executable,
the browser should alert. Here even the much-maligned IE set on low security, prompts:

http://www.urs2.net/rsj/computing/imgs/postcard_ie-low.gif

http://www.urs2.net/rsj/computing/imgs/postcard_ie-low-dl-1.gif

If you got this far, would you permit the download?

If downloaded, the user could become part of a botnet.

See analysis of trojan mIRC

regards,


-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello,

I do not use e-cards. I hate e-care. I hate any sort of affection shown through emails, be it postcards, presentations, cuticons etc. If people wanna greet you or love you or whatever - let them call you.

I would not open it ... I would trash it. Regardless of whether is was genuine or not.

Mrk

 

It's not my sort of thing and wouldn't get out of the gate now - tho' I admit in the early days I found them intriguing.

Nicely illustrated tho Richard

Tks.

 

When you type in the link for postcards.org manually and on top of the page give in the pickup code you get the message it is wrong or has expired.
Suppose your protection will beep and block pop ups, activeX and indicate suspicious site, while your HOSTS file might make it even impossible at all to visit the site.

I think a "legal"card would contain at least a personal name in the first place.
Sender egreetings.com and pick up the card from postcard.org which links to newfriendsonline com?
Yeah, a whole mIRC box full new "friends"waiting for you.
Google for the newfriendsonline com and you see some descriptions for dating sites, etc without visiting it actually.
So this to end your possible confusion after your bright analyse.

 

I'd be intrigued, so I would probably click on the link and let my software restriction policy block any untoward behaviour.

 

I never click on a link with in an e mail since I have my client set to plane text. At the most I may copy and paste. Having said that. I have received e-cards, none of which have ever prompted me to download them.
A suggestion, save the e-mail. If the sender is truly a Family member then he\she will probably contact you to ask if you got it. One last thing to keep in mind. If the sender is not very knowledgeable in the dangers of the net it could still be dangerous to accept\download it.

 

I always look in the source or hover over a link and do some searches.

So what keeps you from trying the link in the image?
Would not recommend to try it, but if you like ......

 

Well, I've made it home now so I had a go. I would have been expecting to open up a website where I could view the card, not be asked if I wanted to run or save a file. At that point I would have halted proceedings.

Just for the record, I chose run, it downloaded and was blocked from executing by the software restriction policy. In a way though, that's what's nice about SRP. You can do silly things and get away with it. I can surf around and open e-mails without needing to think or worry about becoming infected. I only need to think about things when I switch SRP off to install a piece of software.

 

I agree. I do on rare occasions use e-cards (not as often as I used to), but won't touch anything that doesn't say who the sender is. And I don't consider "family member" as proper info.

 

I don't trust e-cards.
I wouldn't open it.

 

Why would I open a .exe file? Most ecards are hosted online and are Flash based anyways, so you should already be suspicious.

 

I use e-cards to send greetings to others (online people mostly). I only get greetings from specific people so I ignore any from any other sender. Some of what I send and receive use Flash animation. I don't install any attachments with an EXE or any executable extension associated with it from any email. I usually only get e-cards in a very low volume during the holiday season so I know who would send me one. Any message with any vague sender information would be ignored.

 

I phoned a friend when the above email postcard arrived and said it was the first I had received this year. She hadn't noticed many either, compared to the flurry of them last year. Sans.org wrote up one in December:

Postcard.exe - Let the mutations begin
http://isc.sans.org/diary.html?storyid=1988

We discussed e-cards and security, and I remembered an acquaintance asking me before the Christmas season, how to use e-cards. He didn't ask my opinion about e-cards, so I didn't offer it, as it would be just my point-of-view and not relevant to his question, unless there would be some compelling reason to advise him not to use them. Which there is not, since they can be safely dealt with.

I replied, Similar to dealing with attachments. The email program displays in text view so nothing runs automatically. If he recognizes the sender, then he can open it. Similar to what ccsito posted above.

--> for sending e-cards: one solution - between those on the user's mailing list, agree to use sites like webshots which include the sender's name in the subject line

Arriving as text message:

http://www.urs2.net/rsj/computing/imgs/postcard_ecard-1.gif
​

Opened as html:

http://www.urs2.net/rsj/computing/imgs/postcard_ecard-2.gif
​

--> for sending attachments and links: one solution - similar: between those on the user's mailing list, include sender's name and prearranged word in the subject line.

I think many people are recognizing that you can't depend solely on the email program and browser, and they should have some protection behind them, as SpikeyB shows. This is certainly true for remote code exploits.

The example I gave is pretty straight forward - direct downloading of an executable, which most people wouldn't do.

Last year's postcards were much more inventive, albeit dependent on social engineering to trigger it.

Really clever was the one that contained five exploits, hoping that the victim's computer would have at least one unpatched vulnerability, which would download the trojan.

postcards.com for 2005

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

hate the stupid things

but yes Id open it, I open stuff that I know is infected to see if my security works
(and I used to get alot when I had a public email addy) but thats what the browser box is for

I wouldnt touch any attachment on my workstation
and only view email as plain text while in the sandbox