Identity thieves have developed yet another scam to trap unsuspecting victims into revealing their passwords, login names, account numbers, and other personal information, without realizing they are doing so, just by opening an electronic greeting card.

Yes, the seemingly endless onslaught of cyber crime continues, this time via the innocent e-card – that which once was a nice surprise in the Inbox has become a gate to identity theft. Exploit Prevention Labs in Atlanta, GA reported today that company researchers have discovered a scam in which e-cards are used to install Keylogger software on the victim’s computer. The scam, which was executed by an Australian cyber criminal ring and is known as MDAC, involves sending to the user an e-card that appears to originate from a major online greeting card service. When the user clicks on the hyperlink to open the card, the browser is redirected to a exploit server, which checks to see if the computer has been updated with the latest security patches. If it hasn’t, the server installs a rootkit and keylogger, then redirects the computer on to an actual e-card. The user continues working on the computer, likely forgetting about the e-card. But from that point on, all keystrokes are being recorded and accessed by the attackers for use in identity theft.

The attacks are reported to have begun occurring last April, and Exploit Prevention Labs has confirmed that account holders at almost every bank in Australia have been exploited.
So how do you avoid an e-card scam? Experts at Microsoft recommend following a few basic guidelines to protect yourself:

1. Never download or click on anything from an unknown source.
2. Be wary of an e-mail message or file attachment from someone you don't know or that seems suspicious.
3. Install antivirus software and keep it updated. Remember that this particular scam is carried out on computers that did not have the latest security updates and patches installed.
4. Preview a link's Web address before you click it. If the link doesn't show an address, move your mouse pointer over a link without clicking it to see where the link goes. (The address should appear on the bottom bar of your Web browser.) If the link is odd or unfamiliar, don’t click it.

But what if you’re accustomed to getting regular e-cards? How do you differentiate between the real ones and the scam? According to www.Scambusters.org, tip-offs that the e-card is a fake include:

1. Spelling mistakes
2. Errors in the message
3. Unknown sender
4. The sender has an obviously fake name or an anonymous handle, such as “secret admirer”
5. A URL that appears odd -- e.g. www.http:// rather than http://www.

The site also recommends using a browser other than Internet Explorer, as IE is generally more vulnerable to attacks than other browsers. It is important to note that hackers have the ability to make an e-card or email look like it came from a reputable site, and even a friend or relative. If the e-card is sent by someone you know, it might be a good idea to contact them and confirm that they indeed sent it before you open it. Additionally, if it’s sent by a “secret admirer,” or other anonymous source, don’t take the chance

As the holidays approach, there will be plenty of cyber criminals taking advantage of the card-sending season by using this or a similar exploit to steal information. And, since excessive shopping is part and parcel of the Christmas holidays, be sure to keep careful track of your credit card purchases and only buy from reputable sites. Hackers may take advantage of the confusion that accompanies holiday online shopping by launching Phishing attacks and using stolen credit card information freely in a time when you might be least likely to notice it.