Email security: would you open this?

Discussion in 'other security issues & news' started by Rmus, Jan 22, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't get much spam or such, but received this today.

    http://www.urs2.net/rsj/computing/imgs/postcard_agent.gif


    Do you use e-cards? If so, How do you decide if it is legitimate or not? Would you open this one?

    What if someone wanted to send/receive e-cards between friends. What would you advise?

    --> Never use them because of possible malware attached?

    --> Or, Yes, but ____________ (suggest how to be safe).

    My email program displays as text only, so I have to open in the browser to see it.
    In this one, hovering the mouse over the hyperlink reveals a spoof:

    http://www.urs2.net/rsj/computing/imgs/postcard_opera.gif

    If someone did click on the link not realizing that it would attempt to download an executable,
    the browser should alert. Here even the much-maligned IE set on low security, prompts:

    http://www.urs2.net/rsj/computing/imgs/postcard_ie-low.gif

    http://www.urs2.net/rsj/computing/imgs/postcard_ie-low-dl-1.gif

    If you got this far, would you permit the download?

    If downloaded, the user could become part of a botnet.

    See analysis of trojan mIRC

    regards,


    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    I do not use e-cards. I hate e-care. I hate any sort of affection shown through emails, be it postcards, presentations, cuticons etc. If people wanna greet you or love you or whatever - let them call you.

    I would not open it ... I would trash it. Regardless of whether is was genuine or not.

    Mrk
     
  3. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    It's not my sort of thing and wouldn't get out of the gate now - tho' I admit in the early days I found them intriguing.

    Nicely illustrated tho Richard :)

    Tks.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When you type in the link for postcards.org manually and on top of the page give in the pickup code you get the message it is wrong or has expired.
    Suppose your protection will beep and block pop ups, activeX and indicate suspicious site, while your HOSTS file might make it even impossible at all to visit the site.

    I think a "legal"card would contain at least a personal name in the first place.
    Sender egreetings.com and pick up the card from postcard.org which links to newfriendsonline com?
    Yeah, a whole mIRC box full new "friends"waiting for you.
    Google for the newfriendsonline com and you see some descriptions for dating sites, etc without visiting it actually.
    So this to end your possible confusion after your bright analyse.
     
    Last edited: Jan 22, 2007
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'd be intrigued, so I would probably click on the link and let my software restriction policy block any untoward behaviour.
     
  6. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    I never click on a link with in an e mail since I have my client set to plane text. At the most I may copy and paste. Having said that. I have received e-cards, none of which have ever prompted me to download them.
    A suggestion, save the e-mail. If the sender is truly a Family member then he\she will probably contact you to ask if you got it. One last thing to keep in mind. If the sender is not very knowledgeable in the dangers of the net it could still be dangerous to accept\download it.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I always look in the source or hover over a link and do some searches.

    So what keeps you from trying the link in the image?
    Would not recommend to try it, but if you like ......
     
  8. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Well, I've made it home now so I had a go. I would have been expecting to open up a website where I could view the card, not be asked if I wanted to run or save a file. At that point I would have halted proceedings.

    Just for the record, I chose run, it downloaded and was blocked from executing by the software restriction policy. In a way though, that's what's nice about SRP. You can do silly things and get away with it. I can surf around and open e-mails without needing to think or worry about becoming infected. I only need to think about things when I switch SRP off to install a piece of software.
     
    Last edited: Jan 22, 2007
  9. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I agree. I do on rare occasions use e-cards (not as often as I used to), but won't touch anything that doesn't say who the sender is. And I don't consider "family member" as proper info.
     
  10. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I don't trust e-cards.
    I wouldn't open it.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Why would I open a .exe file? Most ecards are hosted online and are Flash based anyways, so you should already be suspicious. :rolleyes:
     
    Last edited: Jan 22, 2007
  12. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I use e-cards to send greetings to others (online people mostly). I only get greetings from specific people so I ignore any from any other sender. Some of what I send and receive use Flash animation. I don't install any attachments with an EXE or any executable extension associated with it from any email. I usually only get e-cards in a very low volume during the holiday season so I know who would send me one. Any message with any vague sender information would be ignored.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I phoned a friend when the above email postcard arrived and said it was the first I had received this year. She hadn't noticed many either, compared to the flurry of them last year. Sans.org wrote up one in December:

    Postcard.exe - Let the mutations begin
    http://isc.sans.org/diary.html?storyid=1988

    We discussed e-cards and security, and I remembered an acquaintance asking me before the Christmas season, how to use e-cards. He didn't ask my opinion about e-cards, so I didn't offer it, as it would be just my point-of-view and not relevant to his question, unless there would be some compelling reason to advise him not to use them. Which there is not, since they can be safely dealt with.

    I replied, Similar to dealing with attachments. The email program displays in text view so nothing runs automatically. If he recognizes the sender, then he can open it. Similar to what ccsito posted above.

    --> for sending e-cards: one solution - between those on the user's mailing list, agree to use sites like webshots which include the sender's name in the subject line

    Arriving as text message:


    Opened as html:


    --> for sending attachments and links: one solution - similar: between those on the user's mailing list, include sender's name and prearranged word in the subject line.

    I think many people are recognizing that you can't depend solely on the email program and browser, and they should have some protection behind them, as SpikeyB shows. This is certainly true for remote code exploits.

    The example I gave is pretty straight forward - direct downloading of an executable, which most people wouldn't do.

    Last year's postcards were much more inventive, albeit dependent on social engineering to trigger it.

    Really clever was the one that contained five exploits, hoping that the victim's computer would have at least one unpatched vulnerability, which would download the trojan.

    postcards.com for 2005

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Jan 23, 2007
  14. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    hate the stupid things

    but yes Id open it, I open stuff that I know is infected to see if my security works :p
    (and I used to get alot when I had a public email addy) but thats what the browser box is for

    I wouldnt touch any attachment on my workstation
    and only view email as plain text while in the sandbox
     
Loading...
Thread Status:
Not open for further replies.