Massive faux-CNN spam blitz uses legit sites to deliver fake Flash

Computerworld - More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today.

The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a newer edition, said Sam Masiello, vice president of information security at Denver-based security company MX Logic Inc.

One distinguishing feature of the attack, Masiello added, is the endless loop it uses to frustrate victims. If user clicks "Cancel" in the dialog that prompts for an update, another pop-up appears, said Masiello, that tells the victim that they have to download it to view the video. Clicking "Cancel" there returns the user to the first dialog.

"It puts you in this perpetual loop, so your only options are to kill your browser [session] or be browbeaten into installing it," said Masiello.

MX Logic has detected more than 160 million spam messages in the fake CNN.com attack in the past 48 hours, he said. "It's not slowed down at all," Masiello said.

Yesterday, Bulgarian security researcher Dancho Danchev reported finding more than 1,000 hacked sites hosting the fake Flash Player update.

Hackers are getting brazen and apparently aren't afraid to disclose the addresses of the sites they've compromised by embedding them in the spam they're spreading, he said. "Malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the Web," Danchev said in a blog post on Tuesday.

Adobe Systems Inc. is aware of the malware posing as its Flash Player, and on Monday it warned users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than Adobe.com," said David Lenoe, the company's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc.) -- if you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

People who approved the download of the bogus flash.exe file instead received a Trojan horse -- identified by multiple names, including Cbeplay.a -- that in turn "phones home" to a malicious server to grab and install additional malware, said Danchev.

Masiello said MX Logic is still investigating, and it has not been able to pin down what malware -- other than the fake Flash Player -- was actually installed on victims' PCs.

Read more about security in Computerworld's Security Knowledge Center.