Spammers Leverage Battle in Gaza, CNN - Page 2

Page 2 of 2

Remember the Storm Worm attacks?

This is comparable to the 2007 Storm Worm attacks in terms of volume, Touchette said. "However, this latest attack is even more dangerous, because, unlike the Storm worm, which had a malicious e-mail attachment, this one uses social engineering through the pop-up," he added.

The quality of the e-mail subject lines, their body copy and the fake CNN news site were all very high, Touchette said. "The whole thing was very professional looking and could even trick people who are quite vigilant," he said. "Unlike last year, when they used ridiculous headlines, this time they're using real headlines."

Last year's presidential campaign generated a flood of e-mail spams, many with poorly worded headlines that contained spelling and grammatical errors such as McCane vs Obama, war started.

The SSL stealing Trojan used in this fake CNN news attack will work even on secure sites because it sits within the browser, rendering security ineffective, RSA's Brady said. It captures the financial and personal information of its victims.

This is the second time news that secure Web sites may not be as safe as believed has surfaced in recent weeks. Late last month, researchers disclosed that they had found a flaw in MD5, or Message-Digest algorithm 5 , a cryptographic technique used in various security applications, that let them create fake digital certificates. This triggered a rush within the industry to redress the problem.

In response, VeriSign to switch its MD5-based certificates to another security algorithm, SHA-1, and led Microsoft and Mozilla to work with affected certification authorities to ensure they update their issuing processes.

RSA's Brady warned that spammers will use increasingly sophisticated and devious techniques this year. "They're showing more understanding of the end user experience and what end users may key into," he said. "End users must continue to exercise great caution."