Daily cyber threats and internet security news: network security, online safety and latest security alerts
January 10th, 2009

Fraudsters Prey Upon Public Interest In Current Events to Launch Trojan Attacks On Fake CNN Site

RSA FraudAction Research Lab discovered yesterday a social engineering scam designed to lure people, via an email spam attack, to a fake news website designed to look like This “Cease-Fire Trojan Attack” attempts to bait readers leveraging recent news and “graphic and striking” images regarding the Israel-Hamas conflict in Gaza.

The result of this attack is the infection of computers with a Trojan. The fake website is designed to look like, but is not a legitimate webpage nor is it associated with CNN, its parent company, or its affiliates in any manner.

The scam is yet another example of how adept fraudsters are in engineering attacks with near real-time response to breaking news. It also underscores the opportunistic nature of fraud purveyors who increasingly prey upon public interest and/or concern regarding national or global events of broad importance (such as the recent global economic crisis or the U.S. presidential election).

Infection by the Trojan is accomplished via a silent “drive-by-download” infection kit such as Neosploit, or via social engineering. If the Internet user clicks on the link within the email, they are directed to the fake website. The fake webpage designed and hosted by the online criminals, is embedded as a link within the spam attack email. This fake webpage includes another link to what appears to be a legitimate video but is actually a form of crimeware. When visitors click on the video, they get an error message asking them to install Adobe Flash Player 10 in order to play the video, and a link is provided. The associated and completely fake download is not a product of Adobe or its affiliates in any way.

The Trojan that is launched when the link to the fake software installation is accessed is called a Trojan “SSL stealer” that captures financial and personal information of the infected user found on their computer. This particular Trojan is not new or a newly advanced piece of crimeware. What is new is the socially engineered application of this Trojan that exploits users concerned about the recent events in Gaza.

Users should ignore unsolicited emails that ask them for personal information, or entice them to look at something interesting online – even if it seems “normal”, like an email from a friend, financial institution, or a social networking website.

RSA initiated the shutdown process to take down this attack and the site went offlie on the night of January 8th. The domain, as usual, was hosted in China.

Share this item with others:

More on CyberInsecure:
  • One Of CNN Sports Websites Hacked By Chinese Anti-CNN Group
  • Botnet Kit And Service Offered To Non-Techies
  • Massive Spam Campaign Spreads False CNN News Items With Fake Flash Player Malware
  • UK Home Office Crime Reduction Website Hosted Italian Phishing Scam
  • Another Fake Twitter Profile Spreads Malware That Harvests Orkut Credentials

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Fraudsters Prey Upon Public Interest In Current Events to Launch Trojan Attacks On Fake CNN Site

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.