Tuesday, September 25, 2007



The New York Times has an article about electronic greeting cards, talking about their popularity and focusing on some of the more off-beat ones:

[...] According to the Internet research firm Media Metrix, the top 20 e-card sites in the country had approximately 29 million unique American visitors in July, the most recent month for which data is available. The most popular site, AmericanGreetings.com, had over 7 million hits that month.

In most cases, these e-card sites are deliberately courting mass appeal. “Our sites are popular with a broad range of consumers,” said Frank Cirillo, a spokesman for AG Interactive, the group that owns the e-card sites AmericanGreetings.com, Egreetings.com and BlueMountain.com. “Some of our cards are edgier than others, but for the most part, our material is family-friendly.”

What is not “family-friendly”, though, is the use of fake “you have an e-card” messages as a vector for expanding zombie networks. You’ve seen them, surely; here’s a recent one that I got (click it for a full-sized version):

E-card scam message
Yes, complete with the misspelling “recieved”, there it was, eminently plausible. It didn’t say who it was from, of course, but one would just think one was meant to go look at the “card” to see that. The row of text at the top was sent as images, loaded from and linked to the real Hallmark web site. The “send one” link and the row of links at the bottom also go to the real site. It’s only the one key link, the one in, “To see it, click here,” that’s bogus.

And that bogus link sends you to a web page that’s run by the scammer, in this case on a server in the Czech Republic. This one’s not even a sophisticated one: it attempts to directly run a Windows executable program, and so Windows — every version, even as old as Windows 95 — will actually ask permission to run it. You should say “no”, of course. But if you say “yes”, it will set your computer up on the scammer’s zombie network, and your computer will be among those sending out spam... and more fake e-card messages, designed to turn yet more computers into zombies.

The message, by the way, was not really sent “from” hallmark.com, though it says that in the message. It was really sent from a computer using a web hosting service based in the Dallas area. If you know what to look for, all this is easy to find.

But if you don’t know what to look for, how would you find it? If you got the message shown above, would you be sure you knew whether it was real or not? Maybe you’d notice the misspelling and suspect it from that. Maybe not. And if your birthday happened to be at the end of August, you might even be less likely to look at it with a critical eye.

Leave it to spam to ruin everything, eh?

As for me, it’s simple: I don’t care whether it’s “real” or not. I simply throw them away, unopened, unclicked. The truth is that I’ve never been much for greeting cards anyway, preferring someone’s own heartfelt sentiments to some packaged thing written by a drudge in an office, and that goes double for the electronic version. The Times tells us this:

For some repeat customers, these edgier e-cards have taken the place of a tossed-off text or e-mail message.

“I’ve started communicating more-or-less exclusively through Someecards because it says everything I’m thinking,” said Eric Kind, 34, an executive assistant at Lionsgate Television in Los Angeles, who sends upward of 50 cards a week from the site. “A friend from work sent me a card that said, ‘Sorry I thought you were gay.’ Now everyone I know is sending them.”

And yes, that’s really it: too many have gotten too lazy to take the trouble to send a personal note. But come on, surely it’s less time to write six or ten or seventeen words in an email message than it is to navigate the Someecards site to find the one that says, “Sorry I thought you were gay.” (Huh? That’s funny?)

Email’s made it easier than it’s ever been to drop a brief, personal line. And that personal touch from someone is worth more than a chorus of penguins singing to me from my computer.


Thomas J. Brown said...

I feel exactly the same way about greeting cards. My family is slowly beginning to learn that I really don't care to give them, preferring to make my own (which tend to be much more applicable to the recipient).

I've found that, especially lately, most greeting and e-cards just suck. They're not clever, they're not funny, and they're so broadly targeted that there's no personality to them. Every once in a while I find a pretty good one, but it's pretty rare.

This past Sunday was my grandmother's birthday. I could have sent her an e-card, but instead, I wrote a poem consisting of four lines that said exactly how I felt, and which applied directly to our situation.

D said...

I send and receive e-cards on occasion, and the legitimate ones always have some way of telling you who it was who sent it. That makes it pretty easy to distinguish what's spam. (And the good sites allow more than ample room for adding a nice personal note, which I always do.)

Maggie said...

I don't open e-cards and I don't enjoy hallmark holidays. I wish Mother's Day, Father's Day, etc., would just disappear. I also don't give cards, but I have children, so they make cards. They are usually personal and three-dimensional. M is fond of making pop-ups.

I recently received an e-card spam different from yours. It wasn't an e-card business I had heard of (granted, that isn't many), and it said the card was from a "friend," or something general like that. "A friend has sent you an e-card."

I don't know that I've ever read anything quite as pathetic as, "it says everything I'm thinking." Advertising companies should apparently just follow that guy around. Wow.

Julio C├ęsar said...

Hmmm... I don't like the "traditional" greeting eCards either, that's why I usually send Apple's eCards.

You choose a picture (yours if you have an .Mac account) and put your personal message in it...

The only thing that bothers me is the Greetings from Cupertino "post stamp"...

nina said...

I am totally sending you a Hoops & YoYo card right this minute.

The Ridger, FCD said...

Well, I'll remember never to send you a card. I do send them - and I do write notes. I usually send both ecards and paper ones, and I write notes on both.

I don't open ecards from 'a friend' because the real sites tell you who sent it. Also, all you have to do is look at the URL when you mouse over.

Paul said...

My wife, who works for a major bank, routinely used an e-card site from work to send greetings to casual friends and co-workers. She had used it successfully for a couple of years. Suddenly, one day, one of the obligatory pop-up ads that accompany such sites fooled her into clicking 'ok' and her computer immediately began downloading hundreds of spyware/adware/malware utilities. Realising what she had done, she called IT right away, who told her to drop everything and imediately unplug the computer. No shut down - no nothing - just yank the fricking plug out of the wall. RIGHT NOW!!!

She was warned that she could have lost her job for the security breach. She doesn't use e-card sites anymore.

Barry Leiba said...

Ridger, you're more savvy than most people are about the mouse-over thing. Most don't know that they can do that, and many who do would not notice the bogus URL. And a determined attacker could do something like registering the domain name "hallmark.com" with Cyrillic "a" characters, which would look just like the real thing.