Massive faux-CNN spam blitz uses legit sites to deliver fake Flash
More than 1,000 hacked sites serving up phony update; Adobe issues warning
Computerworld - More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today.
The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a newer edition, said Sam Masiello, vice president of information security at Denver-based security company MX Logic Inc.
One distinguishing feature of the attack, Masiello added, is the endless loop it uses to frustrate victims. If user clicks "Cancel" in the dialog that prompts for an update, another pop-up appears, said Masiello, that tells the victim that they have to download it to view the video. Clicking "Cancel" there returns the user to the first dialog.
"It puts you in this perpetual loop, so your only options are to kill your browser [session] or be browbeaten into installing it," said Masiello.
MX Logic has detected more than 160 million spam messages in the fake CNN.com attack in the past 48 hours, he said. "It's not slowed down at all," Masiello said.
Yesterday, Bulgarian security researcher Dancho Danchev reported finding more than 1,000 hacked sites hosting the fake Flash Player update.
Hackers are getting brazen and apparently aren't afraid to disclose the addresses of the sites they've compromised by embedding them in the spam they're spreading, he said. "Malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the Web," Danchev said in a blog post on Tuesday.
Adobe Systems Inc. is aware of the malware posing as its Flash Player, and on Monday it warned users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than Adobe.com," said David Lenoe, the company's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc.) -- if you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
People who approved the download of the bogus flash.exe file instead received a Trojan horse -- identified by multiple names, including Cbeplay.a -- that in turn "phones home" to a malicious server to grab and install additional malware, said Danchev.
Masiello said MX Logic is still investigating, and it has not been able to pin down what malware -- other than the fake Flash Player -- was actually installed on victims' PCs.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts