The Storm gang is casting its net once again, using “postcards” as bait in a recently discovered spam run, Trend Micro Senior Advanced Threats Researcher Paul Ferguson has reported.

Below is a screenshot of an email sample:

Clicking the link embedded in the message connects the user to any of the following domains:

• hxxp:// {BLOCKED}cardAdvertising.com/
• hxxp:// {BLOCKED}ettercard.com/
• hxxp:// {BLOCKED}ostcardArt.com/
• hxxp:// {BLOCKED}ostcardmail.com
• hxxp:// {BLOCKED}reetingcard.com/
• hxxp:// {BLOCKED}stcardOnline.com/
• hxxp:// {BLOCKED}ttercard.com/

The aforementioned domains display the following message:

When the abovementioned page loads, an auto-redirect occurs after three seconds, prompting the user to download a file named POSTCARD.EXE. Below is a screenshot of the displayed message:

The same file, POSTCARD.EXE, is also downloaded if the user clicks on the link save it on the Web page. The said file is detected as TROJ_NUWAR.DDJ.

TrendLabs Advanced Threat Researcher Joey Costoya says it is plausible that the Storm gang is using this constant change in techniques to evade spam and URL filtering blocking. Storm has been known to constantly change its employed social engineering technique, the most recent ones being news of terrorists on social networking networks, economic issues, and fake videos of popular celebrities.

All related domains are now blocked by the Smart Protection Network.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!