Massive Spam Campaign Spreads False CNN News Items With Fake Flash Player Malware
Known social engineering tactic involving Adobe Flash Player is exploited in currently active malware campaign. Spammed user is encouraged to click on a site with a fake news item in order to install a fake Flash player update (file names might be flashupdate.exe, get_flash_update.exe, watchmovie.mpg.exe). If user clicks “Cancel” in the dialog that prompts for an update, another pop-up appears, that tells the victim that they have to download it to view the video. Clicking “Cancel” there returns the user to the first dialog. It puts the user in perpetual loop, so the only options are to kill the browser session or install the malware. Last night this campaign sent over 80 million messages for the past 24 hours, with 5 million sent on an hourly basis, according to MX Logic.
This campaign is using Fake CNN News Update spam, with subjects like “CNN.com Daily Top 10″. This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.
Thousands of legitimate hacked websites and purposely registered for abuse domains are currently participating, with the malware authors continuing to use retro client-side exploits like those detected by ThreatFire’s assessment at the end of July. Users susceptible to any of these news topics might not even get the chance to deny the download attempt of the infected binary. Exploits involved in these attacks include:
Old MS06-014 MDAC Vulnerability
New Microsoft Office Snapshot Viewer ActiveX control vulnerability
One year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
One year old stack overflow in GomManager
Recent RealPlayer.Console heap vulnerability
Two years old WebViewFolderIcon.setSlice integer overflow vulnerability
Rogue media codecs started getting replaced by fake Windows Media Players and other legitimate players, since today’s fake applets impersonating legitimate software. Instead of trying to build trust into an unknown brand, criminals are impersonating and abusing known brands and their software, which increases the probability of someone clicking on it.
This abuse is serious enough to make Adobe issue a Security Bulletin that is warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that worms are making fraudulent posts on social networking sites. These posts include links that lead to fake sites, just like the email spammed ones, that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems.
Update (August 13): Another round of malware spam has been launched, this time featuring MSNBC instead of CNN:
Subject: MSNBC Breaking News
Title: msnbc.com – BREAKING NEWS: <some bogus news here>
If you see this message in your inbox, delete it immediately.
More on CyberInsecure:
Posts
August 14th, 2008 at 11:28 am
How do I stop receiving these fake news alerts?
August 14th, 2008 at 11:33 am
Set your email filters to delete or ignore message with typical spam title, like “BREAKING NEWS” or “CNN top 10″.
If you are a Gmail user, it is very easy, just open your settings page and go to “filters”.
You cant stop spammers from sending them to you (and millions of other users). The only way not to get them completely would be opening a new email account and keeping it secret, so it wont get into spam lists.