Faux-CNN Spam Blitz Delivers Malicious Flash

CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."

Ahhh, that explains it

[Chris+Pimlott]

I was wondering why I being spammed with such a seemingly innocuous message, I thought perhaps it was just a filter poisoning attempt.

Re:Ahhh, that explains it

[fbjon]

2008 replied, surprisingly they said Firefox gets stuck, but Opera doesn't.

Re:WINDOWS ONLY.

[oldspewey]

Here's a nickel, kid. Go get yourself a *real* operating system...

I enjoy playing around with Linux. I have a couple spare partitions on my desktop machine where I'll install an interesting new distro when I have some time (right now I have Kubuntu and WinXP set up as dual-boot), and maybe learn a little something about package management or do some cool things in bash ... whatever, doesn't matter to me ... it's the exploring that's the important thing.

You know what? Every time I read a post like the above, it turns me off Linux just a tiny bit.

The future of Malware?

[jeiler]

Cross-posted from my journal.

And now we have the latest malware wave, where 1000+ legitimate sites have been hacked to serve a fake Flash player. This is going to seriously hurt CNN's reputation (and ad revenue), as a lot of folks are going to set their mail servers to delete stuff that even mentions CNN. Worse yet, it's going to put a serious hurting on the 1000+ hacked sites: CNN has enough goodwill and trust built up that it will survive the onslaught, but the "other victims" may end up blacklisted by a lot of folks.

Most malware authors have learned not to crap in their own bed: the days of a virus that wiped your files are fading; now we have malware that more-or-less uses your files alone, but uses your connection to send spam or do DoS attacks. If they make the attack less blatant, it's less likely to be discovered and cleaned up.

While the malware authors may be trying to stay quiet on the PC, they sure don't mind hurting companies ... and that hurts the internet as a whole. As much as some in the geek community may dislike it, the Internet is payed for by commerce--internet sales, services, and subscriptions indirectly pay for the infrastructure we all use. If these small companies are hurt by spammers and malware authors, then the small companies may be less willing to maintain an internet presence--which means there will be less people who pay the ISPs to maintain and improve the infrastructure.

There are a lot of contingent statements in the above paragraph, and maybe I'm getting more worried than I should be, but I have to wonder: how long will it be until spammers, scammers, and other low-grade shits ruin the Internet for everyone?

Re:The future of Malware?

[jeiler]

The internet ceasing to be a content-agnostic delivery system for bits would be the real tragedy.

This is starting to wander off-topic, but the Internet has never been "content agnostic"--and the WWW is even less so. At least since the advent of the "commercial Internet," and even to some extent on the pre-commercial "academic internet," content (and locations) is vetted by the administrators of the various service providers. Back in the days of the academic Internet--your sysop doesn't like netnews? He can tell the college administrators "It's full of porn," block port 119, and there's not a damn thing most users could do about it. Worse yet--your sysop has a beef against Indiana State University? He can block the whole domain, and you have to go outside your school's network to get there.

Now in the days of the "Commercial Internet," it's even worse. Most providers treat it as a business instead of content-agnostic media--well, that's completely understandable, given that it is a business. And by treating the Internet as a business, blocking (or even simply refusing to support) things like Usenet actually saves them money, making them more profitable.

Now come the spammers, and how do the local ISPs react? Do they block the offending websites? If so, do they take the time to weed through and block the specific pages, or do they just do a quick-and-dirty block of the name or IP range? The second takes less time and effort--which means less expense.

I dunno. Maybe registrar is right, and I'm just doom-and-glooming. But I'm sick and tired of the "content-agnostic delivery system" being hijacked by the very people who I pay money each month to be able to use the damn thing.

Re:Lawsuit?

[trawg]

It's certainly a good advertisement for digitally signed email.

I realise digital signatures are still beyond the reach of most people that use email, but for those of us that actually know what they are and how to use them, it's a pretty decent solution to this problem - at least for people that want to receive email from CNN.

1) Sign up to CNN for emails
2) Enter your public key in your CNN alerts profile
3) Configure your mail client in such a way as to only accept email purporting to be from CNN that is digitally signed
4) Any email from CNN that is digitally signed, verify the signature - if it matches, accept it, if it doesn't, throw it in the spam pile.

Re:snooze

[edalytical]

It's not a Windows problem nor is it a user problem. BTU (blame the user) is easy to toss around for us geeks, but it really masks the true issue here.

That is, user have be trained to install browser plugins by content providers. These so-called content providers only want to control their content, it's inconsequential to them that they're also exerting control over their viewers. It's also ironic that the mindless stride to control viewers has led that control into the hands of even more dishonest criminals.

In a sense most content provider plugins are trojans themselves. That is, they tell the user they'll provide the ability to view their content, but what they really do is take functionality out of the software and take control away from the user.

This trojan is possible because installing a trojan is an accepted Internet practice. Quick raise you hand if you have RealPlayer installed. Ideally a browser is all anyone needs to view the web, but at some point during commercialization of the Internet the community took a step in the wrong direction: Flash, RealPlayer. Barf. Don't you see, the problem is clearly not the users fault.

The problem, in fact, lies with the likes of Adobe, Real and Microsoft for creating stupid crap like Flash, RealPlayer, Silverlight then demanding users install these without thought to view content. If there were nice standards that provided the functionality of these plugins in the browser this would be a non-issue -- the trojan would never have been created.

Re:I started seeing this at work 2 days ago...

[DigiShaman]

I cleaned up 8 or 9 PCs this July with XP Antivirus 2008 and 2009. Don't be fooled. That fucker is the causes all sorts of hell. It removes display window tabs such as screen savers and background. It does this to prevent you from rooting it out of the sytem. I've also seen it modify logon registry setting. Clear it out and the infected files, and you will send the machine into an endless log-on / log-off mode.

I found AVG to be very effective at removing the hidden crap. So far, this malware has slipped past Symantec, McAfee, and Trend Micro (all corporate editions).

Spam, spam, spam, spam...

[Deven]

This is a REALLY aggressive spam campaign. I never received a message with the subject of "CNN.com Daily Top 10" until 2 days ago at 1:49 PM. Since then, I have received 1,799 of these messages and counting. Of course, I get spammed to death already -- my email address (deven@ties.org) has been public for many years, and I don't even hide it here on Slashdot, even though it really is my primary email address. Spam has grown to the point where I am receiving over 10,000 messages every single day. (Yes, that's about a million messages in 3 months.)

On a separate note, I received an email yesterday with the title "Action required to avoid account access interruption" -- and it was actually a legitimate email! I receive such emails daily from phishing attempts, but this one was actually sent to me by TD Ameritrade.

It's a sad state of affairs when it's the legitimate email that comes as a surprise.

Mail reader flaw

[wytcld]

Why don't all mail readers which display html simply do what Slashdot does - show the real site linked to in brackets next to whatever text is in the link, like "cnn.com [http://somewhere.de]" - perhaps with highlighting when both look like urls, but they don't match? That would kill so many phishing attempts.