E-card slimeware delivers pr0n

Trojan routes surfers to racy sites

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company.

The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC) and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites.

Users are lured into accepting the program through a wholesome e-mail from egreetings@yahoo.com -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters.

Clicking on the graphic of a cartoon hand holding an envelope takes the recipient to surprisecards.net, where the surprise is an "e-card viewer plug-in" that they have to accept to read the card. If the user accepts the ActiveX control, which is signed with a credibility-boosting digital certificate, Internet Explorer will begin selectively feeding them racy full-sized pop-up ads for adult websites, mostly operated by Canada-based Cytron Communications Ltd. They never do get a greeting card.

Small touches like the convincing domain name and the authentic digital certificate make the ruse smarter than the average covert adware delivery mechanism. "A lot of people see that it's an authentic certificate... and will just mindlessly click okay," says Jonathan Zdziarski, a Georgia software developer who was among the first to detect the spammy scam late last month after receiving one of the e-mails. "I can certainly see how your average doctor or oil change technician or anyone who's not in the technology field would fall for something like that."

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.

"There some perfectly legitimate Internet porn operators, but it is a ruthlessly competitive industry that's constantly looking for new ways to get the click," says Jason Catlett, president of the anti-spam company Junkbusters. "They've always been at the leading edge of tactics, legitimate and illegitimate, for getting more traffic."

Key Phrase Matching

The Cytron program works by scanning the Web sites the victim views for key phrases like "hot sex" or "hard core," then serving up ads based on the matches. The technique seems designed to target only people in the market for porn, luring them away from Cytron competitors while catering to the user's particular sexual inclinations.

But the covert phrase-matching software suffers from the same problem as keyword-based filtering programs: it's easily triggered by destinations that don't necessarily indicate a taste for adult content. In tests by SecurityFocus, browsing a USA Today story about the constitutionality of Internet porn spawned a window promoting the gay men's adult site "Tyler's Room," complete with thumbnail teaser photos of well-endowed models. Surfing to a Christian website selling the video "Porn: the Tragedy Exposed" exposed the front page of another Cytron site offering "The nets [sic] youngest women online," with a topless photo of one of them.

Though Cytron is based in British Columbia, by luring U.S. netizens into installing the covert adware under false pretenses, the company may run afoul of U.S. computer crime laws and regulations prohibiting deceptive trade practices, says Catlett. "It's very ingenious... But if they're fooling people into downloading software, that's still going to be illegal under the Computer Fraud and Abuse act."

The surprisecards.net site is served from a San Diego hosting company unrelated to Cytron, but the domain name is registered to Cytron president and CEO Richard Oliver.

Reached by telephone Friday, Oliver didn't deny pulling the e-card scam. But Oliver says it's a jungle out there, pointing to the spyware and adware routinely bundled with popular file-swapping applications, without the average user knowing it.

"I can name you about a hundred different companies, publicly traded companies, that are doing far worse than I am," said Oliver. "You've never heard of Kazaa, you've never heard of Morpheus, nobody's ever heard of any of these file-sharing companies that put all kinds of software on your computer?... Well, now you've heard of us."

© 2002 SecurityFocus.com, all rights reserved.

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.