E-card industry gets the message from fraudsters

Scammers flood e-mail in-boxes with fake greeting cards to lure users to malicious Web sites and hijack their PCs to use as botnets

The e-card industry began seeing some pretty unfriendly greetings this past June. That's when scammers started flooding e-mail in-boxes with fake greeting cards, trying to trick victims into clicking on links that would send them to malicious Web sites.

The goal is always the same: trick the victim into visiting an untrustworthy Web site, then try to hijack his or her computer and make it part of a larger "botnet" network that can be pressed into service for a variety of nefarious purposes. Often the e-card messages are extremely simple -- something like "Our Greeting System has a Labor Day card for you, go here to pick it up" -- but scammers have sent hundreds of millions of them over the past few months.

By July, Symantec tracked more than 250 million fake cards, and soon the mainstream press had picked up on the story. On August 23, "The Today Show" ran a segment highlighting the problem, warning its viewers to be wary of the cards they open.

All of that bad publicity has had at least a short-term effect on the public's willingness to use e-cards, according to Steve Ruschill general manager of Hallmark Interactive. "Overall we've probably seen a 10 percent decline in e-card sends," he said. "Within about a period of two weeks, especially when 'The Today Show' story hit... we just saw it kind of drop."

E-card use at Hallmark is starting to recover, and while the industry is now making some changes to respond to this problem, the fraud will probably not affect the e-card suppliers' bottom line, said Barbara Miller, a spokeswoman with The Greeting Card Association. "I'm not sure that it's having that much impact other than the real need for the industry to make sure that consumers are aware of how to avoid e-mail fraud," she said.

Certainly there has been customer confusion. During a three-week period around July, Miller found herself responding to more than 750 angry people who had received spam that purported to originate from her organization's Greetingcard.org domain. The Greeting Card Association is an industry organization that does not even send out e-cards, she noted.

Now two of the largest e-card distributors in the United States have begun forcing e-card senders to include their first and last names in an effort to make it easier for recipients to tell when these cards are coming from someone they know.

Late last week, AG.com's AmericanGreetings changed its e-cards to include the name and e-mail address of the sender in the body of the e-mail. "This basically just personalizes it so you know where the e-card is coming from, and so you know that it is a valid e-card," said Frank Cirillo, an AmericanGreetings spokesman.

Cirillo said that, unlike Hallmark, AmericanGreetings has not seen a drop in e-card usage over the past few months.

On Monday, Hallmark followed suit and is now forcing users to enter their first and last names in order to make it clear to the recipient that the card is really coming from a known sender.

Originally, Hallmark had intended to take things a step further and eliminate links in its e-cards altogether. In tests, Hallmark sent redesigned cards to recipients, telling them not to click on links, but to instead type in the Hallmark.com Web address and then enter a special code to retrieve their messages.

Ultimately, this didn't work out, however, after it confused some users, Ruschill said. That's because Web-based e-mail clients such as Gmail and Yahoo Mail recognize Web addresses and automatically insert clickable links when they see things like Hallmark.com in a message. "We had a totally manual process laid out," he said. "I appreciate what Google and Yahoo have done but on the other side, it was like, 'man it's really confusing.'"

The pain felt over the past few months by the greeting card industry shows how quickly scammers can undermine confidence in what has become a crucial communication tool for many industries.

Because this kind of malicious spam is usually sent from the compromised botnet computers themselves, it costs almost nothing to distribute. But it can take a toll on the reputation and, ultimately, the revenues of companies that are targeted.

"Companies have become more and more reliant upon the Internet and their Internet presence as a way to promote themselves and increase their revenues," said Dave Greenwood, vice president of technical operations with BD-Protect, a company that works with corporations, ISPs, and law enforcement to take down servers that are being used in fraud. "They see the Internet and their online presence as a very important part of their revenue stream, and they do not want to see that revenue stream put at risk."

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies