UPDATED: Hackers believed to be behind the CNN-spam campaign have changed tactics slightly-they are now using messages claiming to be from news network MSNBC.
The best advice for users-be careful what you click. The spoofed MSNBC messages try to entice victims with provocative subject heads, such as “msnbc.com – BREAKING NEWS: McCain told lies to win votes” and “msnbc.com – BREAKING NEWS: Jerry Yang relinquishes control over Yahoo.”
“It has all the hallmarks of the previous attack–with the same delivery (albeit a slightly different disguise), and formatting of the e-mails, and the eventual link directing you to a variant of the same malicious executable download,” said Graham Cluley, senior technology consultant at Sophos. “At one point [on the morning of Aug. 13], the MSNBC spam campaign spiked and equaled the total amount of all spam we were seeing in our traps. In other words, this is a significant attack.”
According to MX Logic, the MSNBC spam follows a massive campaign last week in which spammers impersonated CNN.com and sent out 250 million spam messages in one 24-hour period. The e-mails appeared to include links to CNN’s top 10 stories but actually led victims to rogue Web sites with malicious software.
“So far volumes have been ranging in the 1.5 to 2 million message per hour range (for the MSNBC spam),” according to information posted yesterday on the MX Logic security blog. “Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took three days for the CNN spam to reach those volumes.”
According to Cluley, those who click on the link in the MSNBC e-mails are led to a malicious Web page hosting Mal/EncPk-DA, which essentially downloads further malicious code from the Internet. Cluley said a pop-up appears for a fake antivirus package that the attackers try to fool users into getting. The hackers also attempt to trick users into downloading the Mal/EncPK-DA trojan via a request that they download a video ActiveX object for Adobe Flash Player.
“So far we have seen two variants of these e-mails,” MX Logic reported on its blog. “The first links to a file named up.html at the end of the ‘breakingnews.msnbc.com’ URL which linked to a page that is branded CNN, not MSNBC. This should be an immediate red flag to any user that something is not right. The newer variant…links to msn.html. This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.”
UPDATE: This story was updated to reflect that the Trojan Mal/EncPk-DA can be downloaded by accepting the video ActiveX object for Adobe Flash Player mentioned in the MX Logic blog.