getluky.net

Every few years, a malicious email nearly gets past my years of automatic defenses and skepticism about stuff I get in my inbox. Today, I was one click away from getting owned. I’ll write about it to make sure my readers don’t also fall for the scam.

I got an email in my inbox with the subject line “CNN.com Daily Top 10″. I’m a CNN reader, and I imagine so are a large proportion of Internet users. In the email, there are a bunch of broken images and links that look pretty normal as far as HTML email newsletters go, especially considering the couple of years behind the curve that CNN has typically been.

Email as it appeared in my inbox

The payload wasn’t in the email itself - the email contained links to “Top 10 stories” and “Top 10 videos”, and of course, your eyes skip past all the other stuff to the content, and if you just glance, these look mostly plausible, or at least resemble the schlock that makes up news entertainment these days. The kicker is that the top video is really disturbing - “US Beef Unsafe for Consumption”. If you’ve fallen for everything else so far (again, not a big stretch, there aren’t attachments or weird spam-like bits of language, and the style is on par for the subject), then you’ll click on the link.

This is what you see when you get there. The js pops up after load.

The link takes you to a CNN Video lookalike page with a flash widget which pops up a Flash upgrade request. Again, this is something your average Internet user is used to seeing and consenting to without thinking. If you hit Cancel (which I did, as I often find this annoying enough to give up and not bother watching the video content), then it puts you in a loop with another error message until you hit OK. Internet users are used to poorly written javascript doing this kind of thing, so they might consent as well just to break the loop.

Behaves kinda like an idiotic website bug, so you might ignore this too.

Once you hit OK, if you’re using FF it’ll prompt you to download a file called getflashupdate.exe, which looks pretty normal as well.

If you’re like me, you just got here because you’re annoyed and want to jump out of the seemingly benign javascript alert box loop. However, I finally noticed one (of many, to be sure) small clues that revealed the nature of the scam. The URL of the download surely wasn’t CNN’s. Once I hit cancel, the flash widget told me that I was using Flash Player 0.

Flash installers tend to screw up pretty often, so once again the scam tries to imitate known behavior.

Altogether, there were numerous cues that I could have observed at any time to figure out what was happening. For one, the From: email address was fake looking. The URL’s in the javascript alert boxes were also fake. The URL’s for every story in the mail were identical. I know that I’ve viewed Flash media before without trouble.

However, for all the cues that were available, the writer of this exploit put in an amount of effort into crafting an authentic-feeling damnit-I-have-to-upgrade-Flash-again experience for an average Internet user that nearly fooled me. If it hadn’t been for my tendency to give up on content rather than install yet another Flash upgrade, I might have been caught hook, line, and sinker.

The owner of the website appears to be Brazilian, and the content looks fairly authentic, so I suspect this is an owned webserver in Brazil being repurposed to distribute a rootkit.

The last time I got nabbed was by the “I Love You” virus, which just happened to come from the name of my favorite Aunt, so it was pretty unlucky for me. Sure, I should have known better, but i’m a human, and we’re all susceptible to these kinds of attacks. I guess every time the attackers advance in their approach, we become better in our defense. It’s just too bad that they’re the ones in the natural position to change where the battlefront lies.

Tech