A lot of people trust CNN when it comes to news, but that’s the real CNN. This one looks believably like it’s from CNN, but it’s not:
Figure 1. Sample of the spammed email message
It’s a malicious spammed email message using the popular broadcast network in its social engineering technique. CNN has always been one of spammers’ favorite baits. Just last week, the CNN logo was used to disseminate fake news about al Qaeda.
This recent spam run looks fairly legit, it even comes with a tag line (“More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign.
Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to:
Figure 2. Download page 1
Figure 3. Download page 2
Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3).
Both varieties though, appear to point to the download of the same file, get_flash_update.exe, in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ. This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW.
“They just keep making the pages more and more CNN-looking,” quips Threats Analyst Joey Costoya, one of the TrendLabs researchers investigating this incident. And true enough, as the spammers hone their copycat skills, more malware are probably going to be delivered elsewhere. As of this writing, we have collected more than a hundred URLs related to this attack.
The Trend Micro Content Security team has already blocked this variety of CNN spam. Users are still cautioned never to trust unsolicited email messages. Adobe has also released an advisory warning users of fake installers: the safest way to verify these is to download them directly from the site of the software vendor itself.