Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Spam Security

Faux-CNN Spam Blitz Delivers Malicious Flash 213

Posted by samzenpus from the careful-what-you-click dept.
CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."
This discussion has been archived. No new comments can be posted.

Faux-CNN Spam Blitz Delivers Malicious Flash More

Faux-CNN Spam Blitz Delivers Malicious Flash

Comments Filter:

  • I got one of these (Score:5, Informative)

    by Anonymous Coward on Wednesday August 06, 2008 @07:09PM (#24504277)

    it took me quite a while to figure out why this would be effective spam.

    Then I had a look a the HTML view. Quite insidious.

    It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.

  • Cbeplay.a (Score:1, Informative)

    by shvytejimas ( 1083291 ) <slashdot@glow.33mail.com> on Wednesday August 06, 2008 @07:13PM (#24504321)
    It is windows only [sophos.com].
    A relief, kinda..

  • More secure, yes. (Score:3, Informative)

    by nurb432 ( 527695 ) on Wednesday August 06, 2008 @07:23PM (#24504413) Homepage Journal

    But not invincible..

  • Facebook, too? (Score:2, Informative)

    by MaliciousSmurf ( 960366 ) on Wednesday August 06, 2008 @07:26PM (#24504443)
    Here's an excerpt from a message posted by a friend on EVERYONE's wall: (X's are mine, just to add some security) "HEY GUYS GET YOUR GAMING ON! ENTER AND WIN A PS3 Or Free PLASMA ITS EASY AND FREE SIGN UP AT THE URL BELOW http://xxxxx.imageshack.us/XXXXX/gameonit4.swf [imageshack.us] "

  • Re:WINDOWS ONLY. Dilbert source (Score:1, Informative)

    by Anonymous Coward on Wednesday August 06, 2008 @09:33PM (#24505327)

    And here's the original Dilbert comic for that line

    http://ozguru.mu.nu/Photos/2005-11-11--Dilbert_Unix.jpg [ozguru.mu.nu]

  • Re:Facebook, too? (Score:2, Informative)

    by kap.devoid ( 1194165 ) on Wednesday August 06, 2008 @09:42PM (#24505411)
    Unfortunately yes and probably every other social networking site soon as well. http://www.securityfocus.com/brief/786?ref=rss [securityfocus.com]

  • Settings for Outlook (Score:3, Informative)

    by ashitaka ( 27544 ) on Wednesday August 06, 2008 @11:10PM (#24506061) Homepage
    A while ago I had a regular email that would for whatever reason lock up Outlook when trying to download its HTML content.

    So I set Outlook to always show plain text versions of all emails. This has provided two benefits:

    1) Much faster message display
    2) Malicious emails are easier to spot

    In this case it was a while bunch of links where the text was http://x.cnn.com/ but the actual href was http://seomthing.de.

    In Outlook 2007: Tools - Trust Center - E-Mail Security - Read all standard mail in plain text.

  • Re:Lessons Learned (Score:3, Informative)

    by r7 ( 409657 ) on Wednesday August 06, 2008 @11:12PM (#24506071)

    The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.

    Partially correct, but you're forgetting that headers _are_ content as much as the body, and any properly configured Spamassassin takes full advantage of RBLs, RHSBLs, and CBLs to identify spam (as much as any other signature). On this (well configured) server anything above 6.0 is discarded, yielding no false positives and rare false negatives (~2 per week per account). Sure it would have scored higher if it had better analyzed the hrefs, but the point is that it recognized the messages as spam.

  • Not Flash (Score:3, Informative)

    by dFaust ( 546790 ) on Wednesday August 06, 2008 @11:14PM (#24506089)

    Just to be clear, users are downloading malicious software that is posing as the Flash Player. "Malicious Flash", to me, means Flash content (a SWF) that uses a vulnerability in the Flash Player to compromise a user's system. While Flash hasn't had a spotless security record, I don't know of any instances where a vulnerability in the Flash Player has been exploited on a scale such as this. In the past few years, Adobe has really strived to make Flash Player much more secure. Were this to be an actual case of "malicious Flash", I think it would be a big PR problem for Adobe and make end users extra wary of Flash for some time to come.

    The wording in the title seems to me like calling someone social engineering some passwords a "WIndows security vulnerability" - misleading and inaccurate, at best.

Slashdot Top Deals

This file will self-destruct in five minutes.

Close