For nearly the past 24 hours we have been seeing a wave of malicious spam purporting to come from cnn.com. It has been a common tactic for spammers to attempt to utilize hot news headlines to give the appearance of validity and to peak interest in their email campaigns. Over the past 24 hours we have been monitoring emails that appear as news alerts from CNN. The campaign is currently exploiting public interest in the news headlines relating to the new Pope, as well as, news of a recent plane crash in Indiana. What caught my eye with this particular campaign, aside from the high volume of messages, was just how well presented the messages are.
Can you tell the difference between the real and the fake messages?
The first two messages are part of the malicious email campaign that we have been monitoring and the third messages is a real email news alert(I sent to myself) from cnn.com. As you can see the messages are nearly identical. Given the fact that there are many people using their email as a news feed from CNN, these messages could blend in almost perfectly with the real thing. So, If you are getting a news feed from CNN to your email, exercise extreme caution when veiwing these over the next few days. For someone that is in the habit of receiving these, the infection success rate could be very high for the spammers.
The links in the malicious emails lead to any one of the 30+ malicious web pages that are currently serving to infect your machine with a variant of the malware family known as Cridex. Once you visit the malicious website and the infection occurs, the malware goes to work quickly. We observed the malware: hiding itself in common running processes, deleting the original dropper, modifying browser settings and adding itself to startup areas. Cridex is known to carry a high likelihood of propagation via multiple methods. In addition to spreading itself further, Cridex also opens a “backdoor” to your machine where additional malware can be installed. This often leads to the exfiltration of your personal data such as bank account credentials and other login information.
At one point we were seeing these messages coming in at a rate of over 2,000 messages per minute. As of 9am (CST) we have quarantined over 2.5 million of them. Of course all of our customers inboxes are protected from this threat.