October 2, 2012

Unsolicited Secret Admirers Via Email

Carl Leonard Principal Security Analyst

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.