Yesterday, at approximately 13:00 UTC, SophosLabs began receiving the first malicious emails targeting those interested in the upcoming United States presidential election.
It’s not really surprising considering the surge in malicious activity we saw during the 2008 presidential election. It even continued for several months after President Obama was elected, probably because the lure worked so well.
The subject line for this spam campaign reads “CNN Breaking News – Mitt Romney Almost President”.
When opened it appears to be a CNN news alert with today’s top stories including the leading “More than 60 percent of votes will be in favor of Mitt Romney.”
Click on the image above for a larger version.
Even if you decide news about the presidential election isn’t your cup of tea, all of the other tantalizing stories promoted in this email link to the same content, but not content on CNN.com.
The machine I was surfing from (Windows 7, Chrome 22, Java 7 Update 7) was not vulnerable to any of the exploits currently deployed in Blackhole, so it resorted to social engineering to get me to infect myself.
I was presented with a page that looks identical to the real Adobe Flash Player download page, except it was hosted on a virtual private server in Maryland, USA.
Without the need for a click it proceeded to download:
I can’t say for sure this functionality is new to Blackhole 2.0, but I have not seen this behavior with older versions of Blackhole.
This could be preparation for the release of Windows 8 and the Modern UI version of Internet Explorer 10, which does not allow plugins like Java and Flash to run.
Why not provide an opportunity for these users to opt-in to being infected too?
If you run the fake update it attempts to connect to a multitude of sites to download a further malicious executable. In my case it downloaded:
Scammers never pass up an opportunity to con people when there is enough public interest in a news topic. If you want the latest dirt on what the campaigns are up to, stick with the “usual suspects” and go directly to their websites.
While it may seem like the news is coming to you via email, Twitter, Facebook and other push technologies, more often than not it is just another scam.
* Mal/EncPk-AGE: the malicious dropper and payload files
Creative Commons photo of Mitt Romney courtesy of Austen Hufford’s Flickr photostream.