[SGVLUG] Social engineering done right...

[Emerson, Tom]

(meaning they got *me* to click on it...)

I got an e-mail with a subject of "postcard from a family member", which
was innocuous enough for me to open the message [though I couldn't think
of anyone who might send a "postcard", it wasn't entirely out of the
realm of "possible"]

The link went to a ".org" site, which (at one point in the past...) was
a bit more difficult to get unless you could reasonably "prove" you
weren't a commercial venture (though, come to think of it, we got
sgvlug.org pretty easily, I imagine...)  So this was enough for me to
click on it.

What *should* have tipped me off was that the "parameter" portion of the
link ended in "31337", but I didn't notice that until later.

Fortunately, I got a "are you sure you want to install and run..."
pop-up for a double-extension file: blah-blah-blah.gif.exe -- enough for
me to kill it and check into this further.

What I also didn't notice was the full site name was
"www2.postcards.org" -- while a little strange, I *have* seen "www2" as
a server name, so this makes me wonder: how did they manage this?  The
holders of "postcards.org" should be in charge of anything for the
domain, so injecting a new site should be rather difficult.

Nslookups show that "www" goes to 64.151.106.92, while "www2" goes to
64.151.106.108 (and reports itself as "aloha.postcards.org") -- while
this is a class-A network, it is possible that an ISP has sublet these,
but even still -- 92 & 108 are relatively close, almost too close to
support the claim that "postcards.org" has no control over the evil
clone site.  It sounds like the folks that run postcards.org could use a
security guru to lock down the errant server...

Tom

P.s. -- a google search on "postcards.org virus" finds a disclaimer page
from postcards.org mentioning this happening in the past as cards from
"aunt edna", and now this new variant.