Select Page

Cyren Security Blog

Not a “Halmark” Greetings Card

Since this is my second post on the Commtouch blog I have added a brief intro – I have been working in the antivirus industry since 2004. I’ve served as an Escalation Anti-Virus Engineer at Trend Micro, Inc., a Senior Anti-Malware Analyst at F-Secure, Inc., and currently work as a Computer Virus Analyst at Commtouch, in the Antivirus Division (previously Authentium) – now on to the post…

With the holiday season just around the corner we were not surprised to receive some greeting card emails. Viewing the “from address” of the email as shown below gives a hint that it’s truly spam. The email is from ”Halmark Greetings”? – “Halmark” with a single ‘L’? The correct spelling is of course ‘Hallmark’ (the largest manufacturer of greeting cards in the United States).

Clicking the link takes recipients to a site that looks like this:

We analyzed the website and found the code obfuscated.

De-obfuscating the code shows the real intention of the attacker – downloading and executing malware through exploits. The malware exploits a range of vulnerabilities in RealPlayer, JAVA, Flash Player and Adobe Reader.

Following a successful exploit the software may download and execute malware from the following links (Command Antivirus detection is listed on the Right):

  • hxxp://122..72/b/ctyvytasbljuxle.jar – Java/ByteVerify.F
  • hxxp://122..72/b/bwcucwatjtfo4.swf – SWF/Expl.H
  • hxxp://122..72/b/kub.php?i=2 – W32/Poison.U
  • hxxp://122..72/b/kub.php?i=7&&&&& – W32/Poison.U
  • hxxp://122..72/b/dqjmymytbvyzj9.pdf – PDF/Expl.IK
  • hxxp://122..72/b/jvkzfnxlgnfz.pdf – PDF/Expl.IL

Attackers will surely use this opportunity to spread malware so don’t fall for these emails as the holidays approach.

Happy Holidays!

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...