Slashdot Mirror

← Back to Stories (view on slashdot.org)

Faux-CNN Spam Blitz Delivers Malicious Flash

Posted by samzenpus on from the careful-what-you-click dept.

CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."

7 of 213 comments (clear)

  1. I got one of these by Anonymous Coward · · Score: 5, Informative

    it took me quite a while to figure out why this would be effective spam.

    Then I had a look a the HTML view. Quite insidious.

    It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.

  2. IE7 Scam by nurb432 · · Score: 5, Funny

    There is another similar one pushing 'IE 7 is now available for download' from 'Microsoft'.

    ya.. right...

    --
    ---- Booth was a patriot ----
  3. Lawsuit? by cdrguru · · Score: 5, Insightful

    Too bad nobody is ever going to find the folks responsible for this. Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today? Next week? It wouldn't surprise me if CNN.com ad rates took a nosedive because of this as well. Who wants to go to "the spammer" web site?

    This is the sort of extremely bad PR that CNN would be well within their rights to sue the pants off of whoever started this nonsense. Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws or what people think about spam. Also, how exactly would you prove where it came from?

    Hope someone is getting paid real good for this. I don't think this can put CNN out of business, but it is certainly going to hurt real bad.

    1. Re:Lawsuit? by dedazo · · Score: 5, Insightful

      Considering how difficult and expensive it is to track down, indict and convict spammers and malware peddlers (not to mention they later tend to escape and commit suicide), I doubt CNN has the time or energy to do this.

      You're never going to fix people's stupidity, which is ultimately the root of the problem.

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  4. Re:snooze by Atlantis-Rising · · Score: 5, Insightful

    It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.

    PEBKAC- Problem Exists Between Keyboard and Chair.

    There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name, or even a theoretically perfect operating system were one to be invented.

    Programs the user executes run in the user's security context. If you can trick the user, you can do whatever the user can do, or in this case, install malicious software.

    --
    "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
  5. Re:WINDOWS ONLY. by dedazo · · Score: 5, Insightful

    How many Windows viruses, trojans, and other malware programs are there successfully spreading in the wild?

    MyDoom, which holds the record for fastest-spreading worm ever, did so through email and required significant user action.

    OK, now how many Linux, BSD, or OS X viruses, trojans, other malware programs are successfully spreading in the wild? ZERO, ZILCH, NADA, ZIP.

    Statistically, there are about as many of those as there are normal desktop computer users for the platform, since most of these attacks rely on social engineering (as opposed to actual vulnerabilities) to succeed. So the lack of malware for your platform is not due to its inherent superiority, but to the size of its installed base. Windows may have more attack vectors than Linux or OS X, but that doesn't mean that they can be avoided with $0.05 worth of simple common sense.

    So you tell me: How difficult is it to secure Windows? Must be damn near impossible.

    No, that's why I asked you the question. It's not at all. If it were, those 100K machine botnets would have 100 million zombies instead, and that's not the case, is it? Or do you figure the malware vendors are just not interested in a potential pool of that size? By most measures there's about a billion computers in the planet running some version of Windows.

    You even admit that despite your self-proclaimed superior ability to secure Windows, you were still a victim of a trojan.

    Oh, sure. But there's no need to be quippy about it. That happened almost 20 years ago, and it was the first and last time any of my systems were compromised. I guess I'm a good learner.

    And by the way, "superior ability" is not needed at all. Just patch your boxes and don't download or run stuff from untrusted sources. That should take care of about 99.99% of all your problems. And that's true of any OS.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  6. Linux Sux by Jafar00 · · Score: 5, Funny

    It's unfair. I clicked the link in the email, and it told me to update flash, but the flash updater I downloaded from their site doesn't work on my computer.

    How am I supposed to see the CNN videos if they don't make a linux version? Linux sux, I'm going back to windows. :(

    --
    RebateFX.com - Spread rebates for Forex traders