On June 19, we came across an interesting e-card spam campaign. E-card spam typically distributes malware; however this campaign simply redirects the user to a “get rich quick” website.
This campaign’s emails are very basic. The messages are sent from a spoofed 123greetings.com email address and contain one sentence and a link.
Figure 1. E-card spam campaign email
After looking at the header for one of the emails, we saw that the email appears to have been sent from an Amazon IP address. This is most likely an attempt to trick anyone that reads the header into thinking the email is legitimate. However, the IP address actually resolves to a DNS name that is not associated with Amazon.
In the body of the emails, the spammers use URL shorteners to redirect victims to their site...