Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Trojan Attack Masquerades As CNN News Report On Gaza

Popup offering updated video codec actually installs password-stealing Trojan

Email messages purporting to carry CNN news reports on the war in Gaza are actually the first step in the download of a password-stealing Trojan, researchers warned today.

Researchers at RSA Security today posted a blog about the CNN Trojan, which lures users to click on a link that promises video and further details about actual events occurring in Gaza. The link takes the user to a realistic-looking CNN Website that promises a compelling video.

When the user clicks on the video, another popup states that the user doesn't have the proper version of the Adobe Flash Player, and that he should click to install a more current version. This final click installs the Trojan, according to Sam Curry, vice president of product management at RSA.

The Trojan is designed to search the user's computer for SSL-related credentials, particularly those that might be used to log onto online banking or other financial accounts, Curry explains. Such credentials are typically given to "mules," or third parties, who use them to transfer funds, make purchases, or open new accounts.

"This is not your typical phishing attack, where the email leads you to type in your personal information," Curry says. "With this, it's three clicks and somebody empties out your bank account."

In a separate blog about the fake CNN attack, MX Logic's Sam Masiello notes that the current attack looks very much like a CNN-lookalike attack that occurred in August. That attack, which similarly offered a Trojan disguised as a video codec, was distributed via a botnet that generated some 835 million messages during a two-week period, according to MX Logic.

Volumes of this new attack started slowly, at about 50 instances seen within the first 45 minutes, beginning at around 7 a.m. Mountain Standard Time (MST), according to MX Logic. The volume "started to pick up pace very quickly at around 8 a.m. MST, where we saw another 1,300 within about 10 minutes," Masiello writes. MX Logic is planning to post additional updates on the traffic later today.

The URL being linked to is changing from message to message, Masiello says. "However, the 'edition.cnn.2009' at the start of the URL appears to be static through the samples we have observed thus far," he says. "Also, the page 'israel-gaza.htm' has been linked to in all samples we have seen."

Curry warns that the attacks may not be limited to fake news reports related to Gaza. "It could have been about the inauguration, or the economy, or anything that would catch the reader's eye," he says. Users should be wary of forwarded news reports, even if they appear to be coming from a friend or a legitimate site, he adds.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.