Thursday, January 08, 2009

Fake CNN malware attack spins Gaza angle

January 8, 2009 (Computerworld) Hackers have launched a large-scale spam attack masquerading as CNN.com news notifications about the Israeli invasion of Gaza, security researchers said today, in a repeat of a massive campaign last summer that also posed as CNN alerts.

Yesterday morning, RSA Security Inc.'s FraudAction Research Lab spotted the first messages in the new attack, which take advantage of the ongoing conflict in Gaza. Israeli ground forces entered Gaza on Jan. 3 after several days of airstrikes and naval bombardments that began Dec. 27.

The messages, said Sam Curry, vice president of product management at RSA, pose as alerts from the CNN cable news channel, and promise "graphic and striking" images about the conflict in Gaza between Israel and Hamas.

"It starts off with phishing e-mail that tries to look like CNN," said Curry, "and then the social engineering aspect kicks in. The message tries to get you to go to a Web site that looks like CNN.com. There, the [fake] site says you must update to Adobe Acrobat 10." Accepting the download delivers a Trojan horse to the PC instead.

"The Trojan is an 'SSL' stealer," added Curry. "It scrapes the disk and looks for traffic to and from known financial services."

The attack had been prepared weeks in advance, said Curry, and the hackers had only decided in the last several days to hang it on the events in Gaza. The FraudAction Research Labs' usual monitoring of cybercriminal activity, he said, had uncovered talk about an impending attack as much as four weeks ago.

During the interval, the attacks bandied ideas about what current event they would use to bait their attack. "There was some talk about the inaugural [of Barack Obama next week], the economy and massive drops in the Dow," Curry said. "They talked about how the news had to hit a critical threshold."

They eventually selected news of the Israeli attacks in Gaza against Hamas. "The thing is that they're completely apolitical," Curry noted. "They were ready to exploit significant news either way, whether there was a cease fire or an intensification of the conflict.

"It's ghoulish, like ambulance chasing," said Curry.

Other security companies reported the campaign, and said the attack is growing very quickly. MX Logic Inc., for example, said that it had seen a major jump in attack volume today.

Early Thursday, said Sam Massiello, vice president of information security at MX Logic, traffic spiked to a pace of about 80,000 messages per hour. "It peaked this morning, around 10 a.m. Mountain [Standard Time], but it dropped pretty quickly after that," said Massiello. "Now, it's holding steady at around 15,000 to 20,000 messages an hour."

Massiello noted the similarities between the newest attack and one conducted in August 2008, when MX Logic monitored more than 160 million messages in a 48-hour period. So far, the current campaign is much smaller. "It's nowhere near the volume of August," he said. "But remember, it took about three days for that attack to really ramp up."

In a posting to the MX Logic blog earlier today, Massiello listed some of the subject lines that the bogus CNN messages use, including "Hamas launching rocket war after Gaza evacuation," "Hamas Goads Israel into War" and "War in Gaza: while Israel and Hamas fight."

"They're trying to look topical," said RSA's Curry.

ComputerWorld

0 Comments:

Post a Comment

<< Home