Sophos Cloud Optix
Yesterday, at approximately 13:00 UTC, SophosLabs began receiving the first malicious emails targeting those interested in the upcoming United States presidential election.
It’s not really surprising considering the surge in malicious activity we saw during the 2008 presidential election. It even continued for several months after President Obama was elected, probably because the lure worked so well.
The subject line for this spam campaign reads “CNN Breaking News – Mitt Romney Almost President”.
When opened it appears to be a CNN news alert with today’s top stories including the leading “More than 60 percent of votes will be in favor of Mitt Romney.”
Click on the image above for a larger version.
Even if you decide news about the presidential election isn’t your cup of tea, all of the other tantalizing stories promoted in this email link to the same content, but not content on CNN.com.
The links all follow the standard Blackhole exploit kit formula. The link in the email takes you to a page that directs you to some nasty JavaScript found on other sites controlled by the attackers.
The machine I was surfing from (Windows 7, Chrome 22, Java 7 Update 7) was not vulnerable to any of the exploits currently deployed in Blackhole, so it resorted to social engineering to get me to infect myself.
I was presented with a page that looks identical to the real Adobe Flash Player download page, except it was hosted on a virtual private server in Maryland, USA.
Without the need for a click it proceeded to download:
SHA1: 875e224c014b2f2ebe9841944becc5dd0e774f61
I can’t say for sure this functionality is new to Blackhole 2.0, but I have not seen this behavior with older versions of Blackhole.
This could be preparation for the release of Windows 8 and the Modern UI version of Internet Explorer 10, which does not allow plugins like Java and Flash to run.
Why not provide an opportunity for these users to opt-in to being infected too?
If you run the fake update it attempts to connect to a multitude of sites to download a further malicious executable. In my case it downloaded:
SHA1: ba90b002f5dd5dbd640cf39e9646d614e5f2ea83
Scammers never pass up an opportunity to con people when there is enough public interest in a news topic. If you want the latest dirt on what the campaigns are up to, stick with the “usual suspects” and go directly to their websites.
While it may seem like the news is coming to you via email, Twitter, Facebook and other push technologies, more often than not it is just another scam.
* Mal/JSRedir-H: the JavaScript redirect on the malicious web page
* Mal/EncPk-AGE: the malicious dropper and payload files
Creative Commons photo of Mitt Romney courtesy of Austen Hufford’s Flickr photostream.
Romney isnt fit to be president. nor CEO of any compnay in the US.
You're missing the point of the article. Quit wasting people's tim posting drivel.
I had heard IE 10 is going to also allow Flash.
There are two versions of IE 10 in Windows 8. One has Flash restricted to a short list of authorized sites while the “Desktop” version will support Flash as normal.
There is another subtle giveaway in the fake Adobe Flash update page … according to your screenshot it is offering version number 11.2.181.25. The current version sequence is 11.4.402.xxx.
In fairness to the malware coders, who can possibly keep up with the endless updates to flash and adobe reader.