Slashdot Mirror
Faux-CNN Spam Blitz Delivers Malicious Flash
CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."
I was wondering why I being spammed with such a seemingly innocuous message, I thought perhaps it was just a filter poisoning attempt.
it took me quite a while to figure out why this would be effective spam.
Then I had a look a the HTML view. Quite insidious.
It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.
There is another similar one pushing 'IE 7 is now available for download' from 'Microsoft'.
ya.. right...
---- Booth was a patriot ----
Too bad nobody is ever going to find the folks responsible for this. Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today? Next week? It wouldn't surprise me if CNN.com ad rates took a nosedive because of this as well. Who wants to go to "the spammer" web site?
This is the sort of extremely bad PR that CNN would be well within their rights to sue the pants off of whoever started this nonsense. Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws or what people think about spam. Also, how exactly would you prove where it came from?
Hope someone is getting paid real good for this. I don't think this can put CNN out of business, but it is certainly going to hurt real bad.
It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.
PEBKAC- Problem Exists Between Keyboard and Chair.
There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name, or even a theoretically perfect operating system were one to be invented.
Programs the user executes run in the user's security context. If you can trick the user, you can do whatever the user can do, or in this case, install malicious software.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Here's a nickel, kid. Go get yourself a *real* operating system...
I enjoy playing around with Linux. I have a couple spare partitions on my desktop machine where I'll install an interesting new distro when I have some time (right now I have Kubuntu and WinXP set up as dual-boot), and maybe learn a little something about package management or do some cool things in bash ... whatever, doesn't matter to me ... it's the exploring that's the important thing.
You know what? Every time I read a post like the above, it turns me off Linux just a tiny bit.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Companies doing business on the web have curtailed the functionality of email correspondence, and often tell consumers the only safe method is to visit their site and log in. Acquiring software isn't much different, get it from the source. Personally, I find the incessant requirement of plug-ins to be breaking the web when no alternative (text) is offered. /Get off my lawn!
Of course you can also run Windows and avoid doing unsafe, stupid things. That usually works.
Since I'm on a 3270 terminal to an OS/390 box the size of your house right now, here's your nickel back, and a check for $50.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
It's hard to write a trojan that runs on multiple operating systems. They would need to write multiplatform trojans, and for now only Windows has the dominance to ensure profitability.
Not that it isn't possible; Adobe after all has Flash for both Mac and Windows PCs.
GPL Deconstructed
I can see the headline now: "We're not spamming you (really)"
Cross-posted from my journal.
And now we have the latest malware wave, where 1000+ legitimate sites have been hacked to serve a fake Flash player. This is going to seriously hurt CNN's reputation (and ad revenue), as a lot of folks are going to set their mail servers to delete stuff that even mentions CNN. Worse yet, it's going to put a serious hurting on the 1000+ hacked sites: CNN has enough goodwill and trust built up that it will survive the onslaught, but the "other victims" may end up blacklisted by a lot of folks.
Most malware authors have learned not to crap in their own bed: the days of a virus that wiped your files are fading; now we have malware that more-or-less uses your files alone, but uses your connection to send spam or do DoS attacks. If they make the attack less blatant, it's less likely to be discovered and cleaned up.
While the malware authors may be trying to stay quiet on the PC, they sure don't mind hurting companies ... and that hurts the internet as a whole. As much as some in the geek community may dislike it, the Internet is payed for by commerce--internet sales, services, and subscriptions indirectly pay for the infrastructure we all use. If these small companies are hurt by spammers and malware authors, then the small companies may be less willing to maintain an internet presence--which means there will be less people who pay the ISPs to maintain and improve the infrastructure.
There are a lot of contingent statements in the above paragraph, and maybe I'm getting more worried than I should be, but I have to wonder: how long will it be until spammers, scammers, and other low-grade shits ruin the Internet for everyone?
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
Of course that's true in general (Java, perhaps?) but that's not really the issue, although it is an argument for systems diversity in general as opposed to any kind of monoculture.
The issue is that users are stupid. They will remain stupid regardless of what kind of operating system you plunk them in front of, and for my money I'd much rather Microsoft (or antivirus vendors or whomever else) spend their time working to fix actual holes- security flaws that can be exploited without exploiting the vulnerability of the user's stupidity.
Because, to be honest, the security flaw that is the user's intelligence or lack thereof is not something that Microsoft can, or should, fix.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Is it really? I've owned many Windows computers over the past 20 years and I've never had any problems with security. Well, there was that one floppy in the early 90s I accidentally booted off of...
There's 8 Windows boxes here on my den right now. Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been. None of my Server 2003 colo boxes have ever been compromised either. I'm curious, what do you find difficult about securing Windows?
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
This spam helped me find a bug in my procmail recipe - this was sent to my Sourceforge email address (never had spam there before), and was forwarded on to Google which bounced it as an illegal attachment. Kudos to Google for being on the ball.
The 1,200 recursive bounce messages that ensued were no-one's fault but my own. :)
Everyone knows that damage is done to the soul by bad motion pictures. -Pope Pius XI
MyDoom, which holds the record for fastest-spreading worm ever, did so through email and required significant user action.
Statistically, there are about as many of those as there are normal desktop computer users for the platform, since most of these attacks rely on social engineering (as opposed to actual vulnerabilities) to succeed. So the lack of malware for your platform is not due to its inherent superiority, but to the size of its installed base. Windows may have more attack vectors than Linux or OS X, but that doesn't mean that they can be avoided with $0.05 worth of simple common sense.
No, that's why I asked you the question. It's not at all. If it were, those 100K machine botnets would have 100 million zombies instead, and that's not the case, is it? Or do you figure the malware vendors are just not interested in a potential pool of that size? By most measures there's about a billion computers in the planet running some version of Windows.
Oh, sure. But there's no need to be quippy about it. That happened almost 20 years ago, and it was the first and last time any of my systems were compromised. I guess I'm a good learner.
And by the way, "superior ability" is not needed at all. Just patch your boxes and don't download or run stuff from untrusted sources. That should take care of about 99.99% of all your problems. And that's true of any OS.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
It's not a Windows problem nor is it a user problem. BTU (blame the user) is easy to toss around for us geeks, but it really masks the true issue here.
That is, user have be trained to install browser plugins by content providers. These so-called content providers only want to control their content, it's inconsequential to them that they're also exerting control over their viewers. It's also ironic that the mindless stride to control viewers has led that control into the hands of even more dishonest criminals.
In a sense most content provider plugins are trojans themselves. That is, they tell the user they'll provide the ability to view their content, but what they really do is take functionality out of the software and take control away from the user.
This trojan is possible because installing a trojan is an accepted Internet practice. Quick raise you hand if you have RealPlayer installed. Ideally a browser is all anyone needs to view the web, but at some point during commercialization of the Internet the community took a step in the wrong direction: Flash, RealPlayer. Barf. Don't you see, the problem is clearly not the users fault.
The problem, in fact, lies with the likes of Adobe, Real and Microsoft for creating stupid crap like Flash, RealPlayer, Silverlight then demanding users install these without thought to view content. If there were nice standards that provided the functionality of these plugins in the browser this would be a non-issue -- the trojan would never have been created.
Win a signed Stephen Carpenter ESP Guitar from the Deftones: http://def-tag.com/?r=0008781
Not even Apple users have the same problem. Users of other OS have been conditioned to get their software from a place they can trust. Free software users have learned not to trust non free software like Flash itself.
So where do Apple users get their Flash updates from then?
It's unfair. I clicked the link in the email, and it told me to update flash, but the flash updater I downloaded from their site doesn't work on my computer.
:(
How am I supposed to see the CNN videos if they don't make a linux version? Linux sux, I'm going back to windows.
RebateFX.com - Spread rebates for Forex traders
Why don't all mail readers which display html simply do what Slashdot does - show the real site linked to in brackets next to whatever text is in the link, like "cnn.com [http://somewhere.de]" - perhaps with highlighting when both look like urls, but they don't match? That would kill so many phishing attempts.
"with their freedom lost all virtue lose" - Milton
Pleas God, no. Nobody wants Wolf flashing us.
/ \
\ / ASCII ribbon campaign for peace
x
/ \