This has been a busy week for the news industry and in turn also a busy week for malware authors who mimick the news industry. We have seen a steady flow of emails that contain malicious links pretending to come from the news agency CNN this week. This morning we have yet another attempting to capitalize on a recent train derailment in Spain. The graphics in each of these campaigns appears to be getting better with each iteration as these botnet delivered malfeasants attempt to trick their readers into clicking on their links. 

CNN10 resized 600

All of the links in these emails are structured the same beginning with an exploited domain followed by a slash and a random word followed by another slash and ending in index.html e.g. http://www[.]handmadelifecoaching[.]com/balloted/index[.]html (save for the brackets of course). The exploited domains play host to redirects that point to javascript files hosted on three more domains, for failover purposes, and then finally point to a domain that carries the exploit that intends on injecting its victims’ kernel with malicious code. After this the machine is equipped with a new backdoor for further malware installations from the command and control server. The final exploit in this case resides at http://evocarr.net/topic/accidentally-results-stay[dot]php.

Other attempts by this group this week have been fake headlines following the birth of the Royal Baby, a speech by Obama, Snowden in the Moscow Airport and a supposed quote by Harrison Ford. Not all of them utilize the CNN graphics, though they all do use a form of CNN.com as the reported sending address such as mail.cnn.com or bbc.cnn.com. If you receive official news alerts from CNN, by especially careful as these guys appear to be quick with new material.

CNN20 resized 600

cnn30 resized 600

CNN40 resized 600

Have a thought on this article? Share it here.