Warning over e-card spam scam

An e-card outfit has been accused of using a dubious social engineering trick to lure users into spamming all the contacts in their Outlook address book.

FriendGreetings.com has been sending out emails containing a link to its site. When a user clicks on it, they are invited to install an ActiveX control in order to view their e-card.

Two long end user licence agreements (EULAs) are then displayed which say that, by running the application, the user is giving permission for a similar email to be sent to all the contacts in their Outlook address book.

Several security companies including Integralis, MessageLabs and Sophos are warning that these EULAs will not be read by many visitors to the site, leading to a huge number of emails being sent.

Neither the email nor the program contain a virus and so may not be blocked by anti-virus software or firewalls. It is also open to debate whether FriendsGreetings.com is breaking the law.

Integralis said that since this spamming tactic has been employed once and is proving to be successful, it is likely that it will be copied and used again -- possibly to more damaging effect.

"Such methods of guerrilla marketing can pose a threat to an IT infrastructure by causing the mail server to flood as more and more employees open the link and download the software," the company said in a statement.

It added: "In this particular instance, the payload was not malicious but it would be easy to exploit the characteristics of this marketing exercise for just that purpose. In the run-up to the festive period, during which time the level of 'e-cards' being circulated will inevitably increase, companies need to be on guard against the potential threat that this poses to their organisation".

IT departments should warn users to read the terms of EULAs carefully before accepting them, Integralis said.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.