In a particularly cynical move, spammers are sending out e-mails purporting to be about the fighting in Gaza, which has drawn international attention because of the hundreds of civilian casualties.
The spams, which appear to be news items from CNN, contain news about the fighting and a link to a fake CNN news site. Recipients who click on the link see a pop-up message urging them to install an upgrade to Adobe Flash Player 10.
Those who try to download the Flash upgrade get an SSL stealing Trojan installed in their computer that can penetrate secure Web sites.
In a blogpost today, CNN.com executive producer Rena Golden warned that the message is fraudulent and did not come from CNN. She urged readers to delete it from their mailboxes.
The domains associated with the attack were hosted by a registrar in China, according to Sean Brady, product marketing manager at security vendor RSA’s IAAG Group.
However, that may not be the end of these attacks, as the spammers can register domains elsewhere and continue their attacks.
Security vendor AppRiver told InternetNews.com that subject lines used include Gaza Groups Report on War, Israel Assaults Hamas In Gaza, Support Israel’s Fight and Reminders of War in Gaza – CNN.
Purported senders include CNN Gaza Crisis News, CNN Media Center, CNN News, CNN News and Events, and CNN News Releases.
According to RSA’s blog, the gang behind this Trojan is known and has a history of similar attacks.
This is not the first time spammers have leveraged CNN – during the Beijing Olympics last year, spammers sent out fake CNN news reports with Olympics-related headlines. In those attacks, too, they had a link urging an Adobe Flash update.
Fred Touchette, senior security analyst at AppRiver, told InternetNews.com that the attacks began at 5:30 a.m. central time yesterday and that, so far, 500,000 e-mails have been sent by the spammers.
Next page: Remember the Storm Worm attacks?
Page 2 of 2
Remember the Storm Worm attacks?
This is comparable to the 2007 Storm Worm attacks in terms of volume, Touchette said. “However, this latest attack is even more dangerous, because, unlike the Storm worm, which had a malicious e-mail attachment, this one uses social engineering through the pop-up,” he added.
The quality of the e-mail subject lines, their body copy and the fake CNN news site were all very high, Touchette said. “The whole thing was very professional looking and could even trick people who are quite vigilant,” he said. “Unlike last year, when they used ridiculous headlines, this time they’re using real headlines.”
Last year’s presidential campaign generated a flood of e-mail spams, many with poorly worded headlines that contained spelling and grammatical errors such as McCane vs Obama, war started.
The SSL stealing Trojan used in this fake CNN news attack will work even on secure sites because it sits within the browser, rendering security ineffective, RSA’s Brady said. It captures the financial and personal information of its victims.
This is the second time news that secure Web sites may not be as safe as believed has surfaced in recent weeks. Late last month, researchers disclosed that they had found a flaw in MD5, or Message-Digest algorithm 5
In response, VeriSign to switch its MD5-based certificates to another security algorithm, SHA-1, and led Microsoft and Mozilla to work with affected certification authorities to ensure they update their issuing processes.
RSA’s Brady warned that spammers will use increasingly sophisticated and devious techniques this year. “They’re showing more understanding of the end user experience and what end users may key into,” he said. “End users must continue to exercise great caution.”