Speaking of Security – The RSA Blog and Podcast

UPDATE: On late Friday night, January 9, the RSA FraudAction Research Lab detected that the gang of fraudsters responsible for the Cease-Fire Trojan Attack had registered five new domains and then spammed a new wave of the scam email targeted to the fake CNN news web webpage, complete with five newly designed URLs. The Lab acted quickly and shut down this second Cease-Fire Trojan Attack early Saturday morning, within a period of four hours.

Yesterday morning (January 7) the RSA FraudAction Research Lab discovered a social engineering
scam designed to lure people, via an email spam attack, to a fake
news website designed to look like CNN.com. This “Cease-Fire Trojan
Attack” attempts to bait readers leveraging recent news and “graphic
and striking” images regarding the Israel-Hamas conflict in Gaza. Today,
RSA is initiating the shutdown process to take down this attack.

UPDATE: RSA has shutdown the attack on the night of January 8th and the domain was hosted in China.

The result of this attack is the infection of computers with a Trojan. The
attack began shortly after our discovery and is still being perpetrated. The
fake website is designed to look like CNN.com, but is
not a
legitimate CNN.com webpage nor is it directly associated with CNN, its parent
company, or its affiliates in any manner.

The scam is yet another example of how adept fraudsters are in engineering
attacks with near real-time response to breaking news. It also underscores
the opportunistic nature of fraud purveyors who increasingly prey upon public
interest and/or concern regarding national or global events of broad importance
(such as the recent global economic crisis or the U.S. presidential election). 

This is a call to action for Internet users to remain vigilant and educated
regarding the latest online threats. Infection by the Trojan is accomplished
via a silent “drive-by-download” infection kit such as Neosploit,
or via social engineering. If the Internet user clicks on the link within the
email, they are directed to the fake website. 

The fake webpage (see below), designed and hosted
by the online criminals, is embedded as a link within the spam attack email
(see below). This fake webpage includes another link to what appears
to be a legitimate video but is actually a form of crimeware. When visitors
click on the video, they get an error message asking them to install Adobe
Flash Player 10 in order to play the video, and a link is provided. The
associated and completely fake download is not a product of Adobe
or its affiliates in any way.  

The Trojan that is launched when the link to the fake software installation
is accessed is called a Trojan “SSL stealer” that captures financial
and personal information of the infected user found on their computer. This
particular Trojan is not new or a newly advanced piece of crimeware. What is new
is the socially engineered application of this Trojan that exploits users concerned
about the recent events in Gaza.

The gang behind this Trojan is known, and others have blogged about this gang’s
previous attacks (e.g. Fake
certificate, Classmates reunion, etc.).
 
We advise that Internet users be wary of unsolicited emails that ask them for
personal information, or entice them to look at something interesting online
– even if it seems “normal”, like an email from a friend, financial
institution, or a social networking website.

The link within the email (see immediately below) is the fake and fraudulent
one – and after clicking the link within the email, the browser will
open the fake and fraudulent web page (see further below).

•