Popup offering updated video codec actually installs password-stealing Trojan

Tim Wilson, Editor in Chief, Dark Reading, Contributor

January 8, 2009

2 Min Read

Email messages purporting to carry CNN news reports on the war in Gaza are actually the first step in the download of a password-stealing Trojan, researchers warned today.

Researchers at RSA Security today posted a blog about the CNN Trojan, which lures users to click on a link that promises video and further details about actual events occurring in Gaza. The link takes the user to a realistic-looking CNN Website that promises a compelling video.

When the user clicks on the video, another popup states that the user doesn't have the proper version of the Adobe Flash Player, and that he should click to install a more current version. This final click installs the Trojan, according to Sam Curry, vice president of product management at RSA.

The Trojan is designed to search the user's computer for SSL-related credentials, particularly those that might be used to log onto online banking or other financial accounts, Curry explains. Such credentials are typically given to "mules," or third parties, who use them to transfer funds, make purchases, or open new accounts.

"This is not your typical phishing attack, where the email leads you to type in your personal information," Curry says. "With this, it's three clicks and somebody empties out your bank account."

In a separate blog about the fake CNN attack, MX Logic's Sam Masiello notes that the current attack looks very much like a CNN-lookalike attack that occurred in August. That attack, which similarly offered a Trojan disguised as a video codec, was distributed via a botnet that generated some 835 million messages during a two-week period, according to MX Logic.

Volumes of this new attack started slowly, at about 50 instances seen within the first 45 minutes, beginning at around 7 a.m. Mountain Standard Time (MST), according to MX Logic. The volume "started to pick up pace very quickly at around 8 a.m. MST, where we saw another 1,300 within about 10 minutes," Masiello writes. MX Logic is planning to post additional updates on the traffic later today.

The URL being linked to is changing from message to message, Masiello says. "However, the 'edition.cnn.2009' at the start of the URL appears to be static through the samples we have observed thus far," he says. "Also, the page 'israel-gaza.htm' has been linked to in all samples we have seen."

Curry warns that the attacks may not be limited to fake news reports related to Gaza. "It could have been about the inauguration, or the economy, or anything that would catch the reader's eye," he says. Users should be wary of forwarded news reports, even if they appear to be coming from a friend or a legitimate site, he adds.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights