"Mitt Romney almost president" - Fake CNN alert leads to Blackhole malware attack

Filed Under: Celebrities, Featured, Malware, Spam, Vulnerability

Creative Commons photo of Mitt Romney courtesy of Austen Hufford's Flickr photostreamYesterday, at approximately 13:00 UTC, SophosLabs began receiving the first malicious emails targeting those interested in the upcoming United States presidential election.

It's not really surprising considering the surge in malicious activity we saw during the 2008 presidential election. It even continued for several months after President Obama was elected, probably because the lure worked so well.

The subject line for this spam campaign reads "CNN Breaking News - Mitt Romney Almost President".

When opened it appears to be a CNN news alert with today's top stories including the leading "More than 60 percent of votes will be in favor of Mitt Romney."

Fake CNN email linking to malware. Click for a larger version

Click on the image above for a larger version.

Even if you decide news about the presidential election isn't your cup of tea, all of the other tantalizing stories promoted in this email link to the same content, but not content on CNN.com.

The links all follow the standard Blackhole exploit kit formula. The link in the email takes you to a page that directs you to some nasty JavaScript found on other sites controlled by the attackers.

Blackhole HTML redirects

The machine I was surfing from (Windows 7, Chrome 22, Java 7 Update 7) was not vulnerable to any of the exploits currently deployed in Blackhole, so it resorted to social engineering to get me to infect myself.

I was presented with a page that looks identical to the real Adobe Flash Player download page, except it was hosted on a virtual private server in Maryland, USA.

Fake Adobe download page served by Blackhole exploit kit

Without the need for a click it proceeded to download:

update_flash_player.exe
SHA1: 875e224c014b2f2ebe9841944becc5dd0e774f61

I can't say for sure this functionality is new to Blackhole 2.0, but I have not seen this behavior with older versions of Blackhole.

This could be preparation for the release of Windows 8 and the Modern UI version of Internet Explorer 10, which does not allow plugins like Java and Flash to run.

Why not provide an opportunity for these users to opt-in to being infected too?

If you run the fake update it attempts to connect to a multitude of sites to download a further malicious executable. In my case it downloaded:

e1Vemf.exe
SHA1: ba90b002f5dd5dbd640cf39e9646d614e5f2ea83

Scammers never pass up an opportunity to con people when there is enough public interest in a news topic. If you want the latest dirt on what the campaigns are up to, stick with the "usual suspects" and go directly to their websites.

While it may seem like the news is coming to you via email, Twitter, Facebook and other push technologies, more often than not it is just another scam.


Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Mal/JSRedir-H: the JavaScript redirect on the malicious web page
* Mal/EncPk-AGE: the malicious dropper and payload files

Creative Commons photo of Mitt Romney courtesy of Austen Hufford's Flickr photostream.

, , , , , , , , , ,

You might like

6 Responses to "Mitt Romney almost president" - Fake CNN alert leads to Blackhole malware attack

  1. Romney isnt fit to be president. nor CEO of any compnay in the US.

    • Ted · 678 days ago

      You're missing the point of the article. Quit wasting people's tim posting drivel.

  2. Joe · 679 days ago

    I had heard IE 10 is going to also allow Flash.

    • Chester Wisniewski · 666 days ago

      There are two versions of IE 10 in Windows 8. One has Flash restricted to a short list of authorized sites while the "Desktop" version will support Flash as normal.

  3. Richard · 673 days ago

    There is another subtle giveaway in the fake Adobe Flash update page ... according to your screenshot it is offering version number 11.2.181.25. The current version sequence is 11.4.402.xxx.

    • Gary Coltharp · 671 days ago

      In fairness to the malware coders, who can possibly keep up with the endless updates to flash and adobe reader.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.