Faux-CNN spam blitz uses legit sites to deliver fake Flash

More than 1,000 hacked sites serving up phony update; Adobe issues warning

More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said Wednesday.

The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected, and tells users they needed to update to a newer edition, said Sam Masiello, vice president of information security at Colorado-based security company MX Logic.

One distinguishing feature of the attack, Masiello added, is the endless loop it uses to frustrate victims. If user clicks "Cancel" in the dialog that prompts for an update, another pop-up appears, said Masiello, that tells the victim that they have to download it to view the video. Clicking "Cancel" there returns the user to the first dialog.

"It puts you in this perpetual loop, so your only options are to kill your browser [session] or be brow-beaten into installing it," said Masiello.

MX Logic has detected more than 160 million spam messages in the fake CNN.com attack in the last 48 hours, he said. "It's not slowed down at all."

Tuesday, Bulgarian security researcher Dancho Danchev reported finding more than 1,000 hacked sites hosting the fake Flash Player update.

Hackers are getting brazen, he added, and apparently aren't afraid to disclose URLs of the sites they've compromised by embedding them in the spam they're spreading. "Malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the Web," Danchev said in a blog post Tuesday.

Adobe is aware of the malware posing as its Flash Player, and on Monday warned users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc.). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

People who okayed the download of the bogus flash.exe file, said Danchev, instead received a Trojan horse -- identified by multiple names, including Cbeplay.a -- that in turn "phones home" to a malicious server to grab and install additional malware.

Masiello said MX Logic is still investigating, and has not been able to pin down what malware -- other than the fake Flash Player -- was actually installed on victims' PCs.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?