“Mitt Romney almost president” – Fake CNN alert leads to Blackhole malware attack

Creative Commons photo of Mitt Romney courtesy of Austen Hufford's Flickr photostreamYesterday, at approximately 13:00 UTC, SophosLabs began receiving the first malicious emails targeting those interested in the upcoming United States presidential election.

It’s not really surprising considering the surge in malicious activity we saw during the 2008 presidential election. It even continued for several months after President Obama was elected, probably because the lure worked so well.

The subject line for this spam campaign reads “CNN Breaking News – Mitt Romney Almost President”.

When opened it appears to be a CNN news alert with today’s top stories including the leading “More than 60 percent of votes will be in favor of Mitt Romney.”

Fake CNN email linking to malware. Click for a larger version

Click on the image above for a larger version.

Even if you decide news about the presidential election isn’t your cup of tea, all of the other tantalizing stories promoted in this email link to the same content, but not content on CNN.com.

The links all follow the standard Blackhole exploit kit formula. The link in the email takes you to a page that directs you to some nasty JavaScript found on other sites controlled by the attackers.

Blackhole HTML redirects

The machine I was surfing from (Windows 7, Chrome 22, Java 7 Update 7) was not vulnerable to any of the exploits currently deployed in Blackhole, so it resorted to social engineering to get me to infect myself.

I was presented with a page that looks identical to the real Adobe Flash Player download page, except it was hosted on a virtual private server in Maryland, USA.

Fake Adobe download page served by Blackhole exploit kit

Without the need for a click it proceeded to download:

update_flash_player.exe
SHA1: 875e224c014b2f2ebe9841944becc5dd0e774f61

I can’t say for sure this functionality is new to Blackhole 2.0, but I have not seen this behavior with older versions of Blackhole.

This could be preparation for the release of Windows 8 and the Modern UI version of Internet Explorer 10, which does not allow plugins like Java and Flash to run.

Why not provide an opportunity for these users to opt-in to being infected too?

If you run the fake update it attempts to connect to a multitude of sites to download a further malicious executable. In my case it downloaded:

e1Vemf.exe
SHA1: ba90b002f5dd5dbd640cf39e9646d614e5f2ea83

Scammers never pass up an opportunity to con people when there is enough public interest in a news topic. If you want the latest dirt on what the campaigns are up to, stick with the “usual suspects” and go directly to their websites.

While it may seem like the news is coming to you via email, Twitter, Facebook and other push technologies, more often than not it is just another scam.


Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Mal/JSRedir-H: the JavaScript redirect on the malicious web page
* Mal/EncPk-AGE: the malicious dropper and payload files

Creative Commons photo of Mitt Romney courtesy of Austen Hufford’s Flickr photostream.