|
|
08-11-2008
Registered User
26,240,
27
CNN phishers trawl for victims
Many of us have seen a slew of spams over the past week or so claiming to be a new service from CNN giving links to top 10 stories. Here's one I received today:
These are spams associated with malware-infecting websites. Somone is trawling the Internet for gullible victims.
To those of us who are sufficiently alert and aware, there are several warning signs. Since you are interested enough in information security to be reading this blog, I doubt you need the hints but anyway I've numbered the clues in the email above (needless to say, the spammer didn't provide the numbers!):
1. The sender's address (which varies between messages) is not from CNN.com
2. The email is undated, meaning that the sender probably did not use a standard email program.
3. The same message has been sent to numerous To: addresses.
4. Numerous messages have been sent with the same or similar subject lines.
5. There's a "hook" - made-up stories specifically designed to phool victims into clicking the link.
6. The links don't point to CNN.com but strange looking URLs for (in this case at least) a domain belonging to the Czech republic.
7. The entire reason for the emails is dubious. I never agreed to receive emails from CNN. Why would a legitimate company such as CNN suddenly send loads of spam messages to its contacts?
Some of us infosec professionals will have read some technical analysis of the Storm botnets sending the spams, the malicious websites and the Trojan e.g. from SANS' excellent Internet Storm Center daily security diary/blog. A few of us will have been involved in deconstructing the attacks and maybe improving the automated controls to prevent them. The best will also have prepared and released suitable security awareness advice to their colleagues. If you are slick about it, live incidents like this one make good awareness copy.
Unfortunately, to those who are not sufficiently alert and aware, the emails appear to be an interesting new service from CNN, so they click the links ...
The problem of naive/unaware users was brought home to me as I read CNN's press release on this incident. The press release itself is straightforward enough, albeit sanitized by CNN's Legal and PR Departments (essentially: 'It's not us. It's not our fault. Be careful') but the readers' comments that follow it are telling, a little glimpse of the Real World™, of life outside the hallowed realm of CISSP-land.
There are tales of woe from victims who fell for the scam, and complaints that CNN didn't react quickly enough or stop this happening (although how they are supposed to have stopped it remains unsaid). Some readers have tried to help others by giving "advice" on how they avoided the scam, although some of the advice is misguided at best (e.g. one recommends "If you want to virtually eliminate spyware/malware, just switch to Linux, and dump Windoze...", and another says "I believe that beheading is the appropriate punishment for spamming."). Proof, as if proof were needed, of the value of professional information security training and certifications such as, ahem, CISSP.
Kind regards,
Gary
Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards
More...
These are spams associated with malware-infecting websites. Somone is trawling the Internet for gullible victims.
To those of us who are sufficiently alert and aware, there are several warning signs. Since you are interested enough in information security to be reading this blog, I doubt you need the hints but anyway I've numbered the clues in the email above (needless to say, the spammer didn't provide the numbers!):
1. The sender's address (which varies between messages) is not from CNN.com
2. The email is undated, meaning that the sender probably did not use a standard email program.
3. The same message has been sent to numerous To: addresses.
4. Numerous messages have been sent with the same or similar subject lines.
5. There's a "hook" - made-up stories specifically designed to phool victims into clicking the link.
6. The links don't point to CNN.com but strange looking URLs for (in this case at least) a domain belonging to the Czech republic.
7. The entire reason for the emails is dubious. I never agreed to receive emails from CNN. Why would a legitimate company such as CNN suddenly send loads of spam messages to its contacts?
Some of us infosec professionals will have read some technical analysis of the Storm botnets sending the spams, the malicious websites and the Trojan e.g. from SANS' excellent Internet Storm Center daily security diary/blog. A few of us will have been involved in deconstructing the attacks and maybe improving the automated controls to prevent them. The best will also have prepared and released suitable security awareness advice to their colleagues. If you are slick about it, live incidents like this one make good awareness copy.
Unfortunately, to those who are not sufficiently alert and aware, the emails appear to be an interesting new service from CNN, so they click the links ...
- The lucky ones have adequate malware defenses which identify the linked websites as dangerous and either block access or trap the Trojans as they are downloaded onto the users' PCs.
- The unlucky ones get infected by malware and lose days trying to undo the damage.
- The really unlucky ones don't even realise they have been hit and remain oblivious to the malware on their machines. Who knows what it is doing? Capturing login credentials, stealing their contact lists, trashing files, sending out zillions of CNN spams ...
There are tales of woe from victims who fell for the scam, and complaints that CNN didn't react quickly enough or stop this happening (although how they are supposed to have stopped it remains unsaid). Some readers have tried to help others by giving "advice" on how they avoided the scam, although some of the advice is misguided at best (e.g. one recommends "If you want to virtually eliminate spyware/malware, just switch to Linux, and dump Windoze...", and another says "I believe that beheading is the appropriate punishment for spamming."). Proof, as if proof were needed, of the value of professional information security training and certifications such as, ahem, CISSP.
Kind regards,
Gary
Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards
More...