Researchers at RSA Security today posted a blog about the CNN Trojan, which lures users to click on a link that promises video and further details about actual events occurring in Gaza. The link takes the user to a realistic-looking CNN Website that promises a compelling video.
When the user clicks on the video, another popup states that the user doesn't have the proper version of the Adobe Flash Player, and that he should click to install a more current version. This final click installs the Trojan, according to Sam Curry, vice president of product management at RSA.
The Trojan is designed to search the user's computer for SSL-related credentials, particularly those that might be used to log onto online banking or other financial accounts, Curry explains. Such credentials are typically given to "mules," or third parties, who use them to transfer funds, make purchases, or open new accounts.
"This is not your typical phishing attack, where the email leads you to type in your personal information," Curry says. "With this, it's three clicks and somebody empties out your bank account."
In a separate blog about the fake CNN attack, MX Logic's Sam Masiello notes that the current attack looks very much like a CNN-lookalike attack that occurred in August. That attack, which similarly offered a Trojan disguised as a video codec, was distributed via a botnet that generated some 835 million messages during a two-week period, according to MX Logic.
Volumes of this new attack started slowly, at about 50 instances seen within the first 45 minutes, beginning at around 7 a.m. Mountain Standard Time (MST), according to MX Logic. The volume "started to pick up pace very quickly at around 8 a.m. MST, where we saw another 1,300 within about 10 minutes," Masiello writes. MX Logic is planning to post additional updates on the traffic later today.
The URL being linked to is changing from message to message, Masiello says. "However, the 'edition.cnn.2009' at the start of the URL appears to be static through the samples we have observed thus far," he says. "Also, the page 'israel-gaza.htm' has been linked to in all samples we have seen."
Curry warns that the attacks may not be limited to fake news reports related to Gaza. "It could have been about the inauguration, or the economy, or anything that would catch the reader's eye," he says. Users should be wary of forwarded news reports, even if they appear to be coming from a friend or a legitimate site, he adds.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message