MX Lab, http://www.mxlab.eu, noticed some emails with the subject “You’ve received A Carrefour Bank E-Card!” that could lead to a host with a malicious payload in the form of an executable.
The email is send from the spoofed address “Carrefour <E-Cards@bank.com>” and has the following body:
You have just received a Carrefour E-Card.
To see it, click here,
There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.
Hope to see you soon,
Your friends at Carrefour
Your privacy is our priority. Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.
The layout of the email has the traditional branding of Hallmark but there seems to be a problem with the direct links to the images. They appear as broken images in our mailclient.
The email has no attachment but has an URL that points to a host with the malware hosted on: hxxp://hivefr2-21.fornex.org/Carrefour.exe.
At the time of writing, the URL did not respond to our request: “Safari can’t open the page “hxxp://hivefr2-21.fornex.org/Carrefour.exe” because the server where this page is located isn’t responding.”
It is possible that the set up of this campaign is done badly but please be adviced that if you receive such messages you remove them to your trashcan. There is always a change that the author will change the campaign later on and that the malicious payload comes available for download.