Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Trojan Attack Masquerades As CNN News Report On Gaza

Popup offering updated video codec actually installs password-stealing Trojan

Email messages purporting to carry CNN news reports on the war in Gaza are actually the first step in the download of a password-stealing Trojan, researchers warned today.

Researchers at RSA Security today posted a blog about the CNN Trojan, which lures users to click on a link that promises video and further details about actual events occurring in Gaza. The link takes the user to a realistic-looking CNN Website that promises a compelling video.

When the user clicks on the video, another popup states that the user doesn't have the proper version of the Adobe Flash Player, and that he should click to install a more current version. This final click installs the Trojan, according to Sam Curry, vice president of product management at RSA.

The Trojan is designed to search the user's computer for SSL-related credentials, particularly those that might be used to log onto online banking or other financial accounts, Curry explains. Such credentials are typically given to "mules," or third parties, who use them to transfer funds, make purchases, or open new accounts.

"This is not your typical phishing attack, where the email leads you to type in your personal information," Curry says. "With this, it's three clicks and somebody empties out your bank account."

In a separate blog about the fake CNN attack, MX Logic's Sam Masiello notes that the current attack looks very much like a CNN-lookalike attack that occurred in August. That attack, which similarly offered a Trojan disguised as a video codec, was distributed via a botnet that generated some 835 million messages during a two-week period, according to MX Logic.

Volumes of this new attack started slowly, at about 50 instances seen within the first 45 minutes, beginning at around 7 a.m. Mountain Standard Time (MST), according to MX Logic. The volume "started to pick up pace very quickly at around 8 a.m. MST, where we saw another 1,300 within about 10 minutes," Masiello writes. MX Logic is planning to post additional updates on the traffic later today.

The URL being linked to is changing from message to message, Masiello says. "However, the 'edition.cnn.2009' at the start of the URL appears to be static through the samples we have observed thus far," he says. "Also, the page 'israel-gaza.htm' has been linked to in all samples we have seen."

Curry warns that the attacks may not be limited to fake news reports related to Gaza. "It could have been about the inauguration, or the economy, or anything that would catch the reader's eye," he says. Users should be wary of forwarded news reports, even if they appear to be coming from a friend or a legitimate site, he adds.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.