The beauty of a Mac is I can investigate what phishing e-mail I’ve just been sent has in store for me, safely. In this case, I received an e-mail “from” 123Greetings.com (see the full resolution screen capture of the message) that said, “A friend has sent you an ecard from 123Greetings.com.” The card was to “Dear darling” and the message was short, yet sweet, stating, “i hope you like this card that i have made only for you.” ‘Oh, boy, who’s calling me darling and what did they send?’ would probably be the average person’s reaction and when they click the hyperlinked URL that states 123greetings.com on it, they actually get a page at a server IP of 64.34.149.37 that then downloads something. Something nasty, I’m sure. The Web page with a META tag that automatically starts your download reads:

A friend has sent you an e-card from 123Greetings.com

- download and view your e-card

Your ecard number is:

GreetingCardNr0410112528543.flash

Best wishes,
123Greetings.com

What the download (and the META tag) links to is this: http://64.34.149.37/GreetingCardNr0410112528543.flash.exe. Copy and paste and try at your own risk! Since the Mac cannot run executables (yet), I was safe from this payload. Man, what a bomb I’m sure is packed into this package. Yikes.

Be careful, folks. Phishing, a term used to identify fraudulent e-mails enticing one with an offer that ends up stealing your personal information or causes you to download something, is a very common thing now. Firefox and IE both have anti-phishing protection, but things like this e-mail I got can still get by them. So just keep your eyes open and never click a click in an HTML e-mail until your pop-up (in Outlook) or the info bar shows what the real address is behind that URL. If it’s all numbers, don’t click it. Just delete the e-mail.

[tags]phishing,123greetings,dear darling,64.34.149.37,greetingcardnr0410112528543.flash[/tags]