The hackers were able to use the e-card to collect documents and other data from government workers, particularly those involved in computer crime investigation, according an AP report.
The holiday e-card prompted recipients to click on a link, which then downloaded Zeus malware. The malware was used to steal passwords and other credentials enabling the hackers to gain access to victims’ computer files and other data.
Analysts consulted by AP said that the e-card was sent out by a server in Belarus, and the hackers were able to steal at least several gigabytes worth of data.
The analysts said that while Zeus-related attacks are fairly common, this latest one stood out because of the use of the White House to lure recipients in and the targeted way it went after law enforcement.
Amy Kudwa, a spokeswoman for the Department of Homeland Security, said her department was aware of the fake e-card with the Zeus malware and was monitoring the situation.
One US official who did not want to be identified said that the code was poorly written. The hackers could only get easily accessible documents and not those filed deep within layers of folders on hard drives, said the official.