Holiday hangover: hackers using e-greeting cards to spread malware


GroupGreeting, a popular e-card site, was used to infect thousands of websites with malware this holiday season as part of a widespread cyberattack, Malwarebytes revealed on Thursday.

E-greeting card platforms are used by thousands of major companies to send digital cards to associates and clients each year.

Taking notice, savvy threat actors have taken advantage of the spike in visitor traffic over the holidays and have used these e-card platforms to spread malicious code infecting over 2,800 websites worldwide, in what threat researchers are now referring to as the “zqxq” campaign.

ADVERTISEMENT

One of those compromised e-card sites is GroupGreeting, a popular digital greeting card platform that claims to be the world’s number-one service enterprises use to deliver the online greetings.

Malwarebytes Group Greeting blocked
Image by Malwarebytes.

With major brands using the e-card service, including Airbnb, Coca-Cola, and eBay, GroupGreetings has become a “lucrative target” for threat actors who know users are more likely to open links from trusted companies, the Malwarebytes blog said.

“GroupGreeting is used by more than 25,000 businesses and has sent out over 90,000,000 messages of appreciation in 195 countries,” the company website states.

Overall, malicious e-greeting card campaigns have “accounted for 43,106 detections in 2024,” the security researchers said.

vilius Niamh Ancell BW Konstancija Gasaityte profile Gintaras Radauskas
Get our latest stories today on Google News

Taking advantage of Java Script injection

The 'zqzq' attack takes advantage of trusted websites with high traffic… especially those with a seasonal increase in user interactions,” said Stefan Dasic, manager of research and response at Malwarebytes’ ThreatDown cybersecurity platform.

ADVERTISEMENT

The malware injection campaign responsible for originally compromising GroupGreeting, known as both “NDSW/NDSX” and “TDS Parrot,” has since been patched, but researchers say the latest ‘zqxq’ campaign “closely mirrors NDSW/NDSX-style malware behavior,” and believe the two are overlapping each other.

The cybercriminals are said to be injecting an “obfuscated JavaScript snippet” – designed to blend in with legitimate site files – into the victim’s websites.

Both campaigns have been seen exploiting vulnerabilities in popular CMS platforms, such as WordPress, Joomla, or Magento, as well as outdated plugins.

These pieces of JavaScript code are not approved by the site’s developers and instead get “hidden within themes, plugins, or other critical scripts… using scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis,” Dasic explained.

Malwarebytes Group Greeting malicious code
Images by Malwarebytes.

He noted that, as is typical in large-scale JavaScript injection campaigns, the malware was found capable of carrying out functions such as token generation and redirection, conditional checks and evasion, and remote payload retrieval.

Furthermore, once the malware activates in a user’s browser, it can redirect the victim to external domains that host secondary payloads. These payloads can range from phishing pages designed to steal credentials, to malicious info stealers or ransomware, the research found.

And because the attackers often generate random or “tokenized” URLs, it can be difficult for basic blocklists to keep pace, Dasic said.

ADVERTISEMENT

“Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur,” he added.

To protect against the 'zqxq' campaign and similar attacks, Malwarebytes recommends that organizations ensure all systems are up to date and patched accordingly. Organizations should also employ automated monitoring to flag any unauthorized file changes and have their users undergo regular security awareness training to understand potential risks.