Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

E-card Spam Claims to Help Users Get Rich Quick

The scam uses websites that pose as legitimate companies to trick people.
Created: 23 Jun 2014 21:05:36 GMT • Updated: 26 Jun 2014 16:48:13 GMT
Sean Butler's picture
+1 1 Vote
Login to vote

On June 19, we came across an interesting e-card spam campaign. E-card spam typically distributes malware; however this campaign simply redirects the user to a “get rich quick” website.

This campaign’s emails are very basic. The messages are sent from a spoofed 123greetings.com email address and contain one sentence and a link.

ecard spam 1.png

Figure 1. E-card spam campaign email

After looking at the header for one of the emails, we saw that the email appears to have been sent from an Amazon IP address. This is most likely an attempt to trick anyone that reads the header into thinking the email is legitimate. However, the IP address actually resolves to a DNS name that is not associated with Amazon.

In the body of the emails, the spammers use URL shorteners to redirect victims to their site. In this example, the spammers used Google’s URL shortening service. Normally, 123greetings does not use URL shorteners for its e-card service. Instead, it provides a URL which contains its own domain name.

The link directs users to a Web page that mimics the appearance and domain name of 123greetings. According to records on WhoIs, this domain was registered on June 17 in Panama. Additional details were hidden by WhoIsGuard privacy.

ecard spam 2.png

Figure 2. Fake 123greetings website

The fraudulent e-card page offers details on a “get rich quick” scheme, which promises that the user will make thousands of dollars within one week if they pay US$97. The scam encourages the user to click on a link to sign up. While this is not new technique, the spammer tries to make this campaign seem more legitimate by using 123greetings’ branding.

The link on this webpage redirects users to different remote locations several times before they end up at the “get rich quick” website, which asks the user for their contact details. The spammer will then contact the user, most likely through automated telephone messages or additional emails, to convince the user to sign up and pay to take part in the alleged scheme. As an added bonus, the spammer may use the obtained contact details to target the user with more spam.

ecard spam 3.png

Figure 3. “Get rich quick” spam site

We have also seen spam with a slight variation of this campaign. In this campaign, the e-card link sends users to a fake BBC news article. The spammer is once again hoping to convince the user that this scam is legitimate, before they redirect the user to the “get rich quick” website. 

ecard spam 4.png

Figure 4. Fake BBC news article for “get rich quick” scheme

For the fake news article, the scammer registered another domain that resembles the legitimate BBC domain name. This fake news article promises that the user will be able to make more than US$8,000 a month by paying $97 in advance. The site also contains links to news articles hosted on the legitimate BBC news website in order to make the scam look more authentic. The scammer obviously scraped these links at the time they constructed this fraudulent site. The webpage eventually encourages the user to click on a link which directs them to the “get rich quick” spam site.

Symantec advises users to adhere to the following security best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly