Posted by: Samker
« on: 09. January 2009., 19:19:11 »Yesterday morning, the RSA FraudAction Research Lab discovered a social engineering scam designed to lure people, via an email spam attack, to a fake news website designed to look like CNN.com. This “Cease-Fire Trojan Attack” attempts to bait readers leveraging recent news and “graphic and striking” images regarding the Israel-Hamas conflict in Gaza. Today, RSA is initiating the shutdown process to take down this attack.
UPDATE: RSA has shutdown the attack on the night of January 8th and the domain was hosted in China.
The result of this attack is the infection of computers with a Trojan. The attack began shortly after our discovery and is still being perpetrated. The fake website is designed to look like CNN.com, but is not a legitimate CNN.com webpage nor is it directly associated with CNN, its parent company, or its affiliates in any manner.
The scam is yet another example of how adept fraudsters are in engineering attacks with near real-time response to breaking news. It also underscores the opportunistic nature of fraud purveyors who increasingly prey upon public interest and/or concern regarding national or global events of broad importance (such as the recent global economic crisis or the U.S. presidential election).
This is a call to action for Internet users to remain vigilant and educated regarding the latest online threats. Infection by the Trojan is accomplished via a silent “drive-by-download” infection kit such as Neosploit, or via social engineering. If the Internet user clicks on the link within the email, they are directed to the fake website.
The fake webpage (see above), designed and hosted by the online criminals, is embedded as a link within the spam attack email (see above). This fake webpage includes another link to what appears to be a legitimate video but is actually a form of crimeware. When visitors click on the video, they get an error message asking them to install Adobe Flash Player 10 in order to play the video, and a link is provided. The associated and completely fake download is not a product of Adobe or its affiliates in any way.
The Trojan that is launched when the link to the fake software installation is accessed is called a Trojan “SSL stealer” that captures financial and personal information of the infected user found on their computer. This particular Trojan is not new or a newly advanced piece of crimeware. What is new is the socially engineered application of this Trojan that exploits users concerned about the recent events in Gaza.
The gang behind this Trojan is known, and others have blogged about this gang’s previous attacks (e.g. Fake certificate, Classmates reunion, etc.).
We advise that Internet users be wary of unsolicited emails that ask them for personal information, or entice them to look at something interesting online - even if it seems “normal”, like an email from a friend, financial institution, or a social networking website.
The link within the email (see immediately above) is the fake and fraudulent one – and after clicking the link within the email, the browser will open the fake and fraudulent web page (see further above).
(RSA Security)