Faux-CNN Spam Blitz Delivers Malicious Flash 213
CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."
I got one of these (Score:5, Informative)
it took me quite a while to figure out why this would be effective spam.
Then I had a look a the HTML view. Quite insidious.
It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.
Cbeplay.a (Score:1, Informative)
A relief, kinda..
More secure, yes. (Score:3, Informative)
But not invincible..
Facebook, too? (Score:2, Informative)
Re:WINDOWS ONLY. Dilbert source (Score:1, Informative)
And here's the original Dilbert comic for that line
http://ozguru.mu.nu/Photos/2005-11-11--Dilbert_Unix.jpg [ozguru.mu.nu]
Re:Facebook, too? (Score:2, Informative)
Settings for Outlook (Score:3, Informative)
So I set Outlook to always show plain text versions of all emails. This has provided two benefits:
1) Much faster message display
2) Malicious emails are easier to spot
In this case it was a while bunch of links where the text was http://x.cnn.com/ but the actual href was http://seomthing.de.
In Outlook 2007: Tools - Trust Center - E-Mail Security - Read all standard mail in plain text.
Re:Lessons Learned (Score:3, Informative)
The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.
Partially correct, but you're forgetting that headers _are_ content as much as the body, and any properly configured Spamassassin takes full advantage of RBLs, RHSBLs, and CBLs to identify spam (as much as any other signature). On this (well configured) server anything above 6.0 is discarded, yielding no false positives and rare false negatives (~2 per week per account). Sure it would have scored higher if it had better analyzed the hrefs, but the point is that it recognized the messages as spam.
Not Flash (Score:3, Informative)
Just to be clear, users are downloading malicious software that is posing as the Flash Player. "Malicious Flash", to me, means Flash content (a SWF) that uses a vulnerability in the Flash Player to compromise a user's system. While Flash hasn't had a spotless security record, I don't know of any instances where a vulnerability in the Flash Player has been exploited on a scale such as this. In the past few years, Adobe has really strived to make Flash Player much more secure. Were this to be an actual case of "malicious Flash", I think it would be a big PR problem for Adobe and make end users extra wary of Flash for some time to come.
The wording in the title seems to me like calling someone social engineering some passwords a "WIndows security vulnerability" - misleading and inaccurate, at best.