Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 7th, 2008

Massive Spam Campaign Spreads False CNN News Items With Fake Flash Player Malware

Known social engineering tactic involving Adobe Flash Player is exploited in currently active malware campaign. Spammed user is encouraged to click on a site with a fake news item in order to install a fake Flash player update (file names might be flashupdate.exe, get_flash_update.exe, watchmovie.mpg.exe). If user clicks “Cancel” in the dialog that prompts for an update, another pop-up appears, that tells the victim that they have to download it to view the video. Clicking “Cancel” there returns the user to the first dialog. It puts the user in perpetual loop, so the only options are to kill the browser session or install the malware. Last night this campaign sent over 80 million messages for the past 24 hours, with 5 million sent on an hourly basis, according to MX Logic.

This campaign is using Fake CNN News Update spam, with subjects like “ Daily Top 10″. This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.

Thousands of legitimate hacked websites and purposely registered for abuse domains are currently participating, with the malware authors continuing to use retro client-side exploits like those detected by ThreatFire’s assessment at the end of July. Users susceptible to any of these news topics might not even get the chance to deny the download attempt of the infected binary. Exploits involved in these attacks include:

Old MS06-014 MDAC Vulnerability

New Microsoft Office Snapshot Viewer ActiveX control vulnerability

One year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow

One year old stack overflow in GomManager

Recent RealPlayer.Console heap vulnerability

Two years old WebViewFolderIcon.setSlice integer overflow vulnerability

Rogue media codecs started getting replaced by fake Windows Media Players and other legitimate players, since today’s fake applets impersonating legitimate software. Instead of trying to build trust into an unknown brand, criminals are impersonating and abusing known brands and their software, which increases the probability of someone clicking on it.

This abuse is serious enough to make Adobe issue a Security Bulletin that is warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that worms are making fraudulent posts on social networking sites. These posts include links that lead to fake sites, just like the email spammed ones, that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems.

Update (August 13): Another round of malware spam has been launched, this time featuring MSNBC instead of CNN:

Subject: MSNBC Breaking News

Title: – BREAKING NEWS: <some bogus news here>

If you see this message in your inbox, delete it immediately.

Share this item with others:

More on CyberInsecure:
  • Fake Sex Scandal Spam Campaign Involving Barack Obama Spreads Malware
  • One Of CNN Sports Websites Hacked By Chinese Anti-CNN Group
  • Another Fake Twitter Profile Spreads Malware That Harvests Orkut Credentials
  • Fraudsters Prey Upon Public Interest In Current Events to Launch Trojan Attacks On Fake CNN Site
  • Malware Served Through Flash Exploits By MSN Norway

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Massive Spam Campaign Spreads False CNN News Items With Fake Flash Player Malware

    2 Responses to “Massive Spam Campaign Spreads False CNN News Items With Fake Flash Player Malware”

    1. Peggy Sullivan Says:
      August 14th, 2008 at 11:28 am

      How do I stop receiving these fake news alerts?

    2. CyberInsecure Says:
      August 14th, 2008 at 11:33 am

      Set your email filters to delete or ignore message with typical spam title, like “BREAKING NEWS” or “CNN top 10″.
      If you are a Gmail user, it is very easy, just open your settings page and go to “filters”.

      You cant stop spammers from sending them to you (and millions of other users). The only way not to get them completely would be opening a new email account and keeping it secret, so it wont get into spam lists.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.