Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Online Fraudsters Prey Upon the Media and Public Interest in Current Events to Launch "Cease-Fire Trojan Attack"

by RSA FraudAction Research Lab on 1/8/2009
Topics: Online Fraud, Fraudsters | Phishing

UPDATE: On late Friday night, January 9, the RSA FraudAction Research Lab detected that the gang of fraudsters responsible for the Cease-Fire Trojan Attack had registered five new domains and then spammed a new wave of the scam email targeted to the fake CNN news web webpage, complete with five newly designed URLs. The Lab acted quickly and shut down this second Cease-Fire Trojan Attack early Saturday morning, within a period of four hours.

Yesterday morning (January 7) the RSA FraudAction Research Lab discovered a social engineering scam designed to lure people, via an email spam attack, to a fake news website designed to look like CNN.com. This “Cease-Fire Trojan Attack” attempts to bait readers leveraging recent news and “graphic and striking” images regarding the Israel-Hamas conflict in Gaza. Today, RSA is initiating the shutdown process to take down this attack.

UPDATE: RSA has shutdown the attack on the night of January 8th and the domain was hosted in China.

The result of this attack is the infection of computers with a Trojan. The attack began shortly after our discovery and is still being perpetrated. The fake website is designed to look like CNN.com, but is not a legitimate CNN.com webpage nor is it directly associated with CNN, its parent company, or its affiliates in any manner.

The scam is yet another example of how adept fraudsters are in engineering attacks with near real-time response to breaking news. It also underscores the opportunistic nature of fraud purveyors who increasingly prey upon public interest and/or concern regarding national or global events of broad importance (such as the recent global economic crisis or the U.S. presidential election). 

This is a call to action for Internet users to remain vigilant and educated regarding the latest online threats. Infection by the Trojan is accomplished via a silent “drive-by-download” infection kit such as Neosploit, or via social engineering. If the Internet user clicks on the link within the email, they are directed to the fake website. 

The fake webpage (see below), designed and hosted by the online criminals, is embedded as a link within the spam attack email (see below). This fake webpage includes another link to what appears to be a legitimate video but is actually a form of crimeware. When visitors click on the video, they get an error message asking them to install Adobe Flash Player 10 in order to play the video, and a link is provided. The associated and completely fake download is not a product of Adobe or its affiliates in any way.  

The Trojan that is launched when the link to the fake software installation is accessed is called a Trojan “SSL stealer” that captures financial and personal information of the infected user found on their computer. This particular Trojan is not new or a newly advanced piece of crimeware. What is new is the socially engineered application of this Trojan that exploits users concerned about the recent events in Gaza.

The gang behind this Trojan is known, and others have blogged about this gang’s previous attacks (e.g. Fake certificate, Classmates reunion, etc.).
 
We advise that Internet users be wary of unsolicited emails that ask them for personal information, or entice them to look at something interesting online - even if it seems “normal”, like an email from a friend, financial institution, or a social networking website.

The link within the email (see immediately below) is the fake and fraudulent one – and after clicking the link within the email, the browser will open the fake and fraudulent web page (see further below).

CNN Image 1

CNN image 2

Comments
The orthogonal nature of this attack and its "down-stream" behavior

Some of the elements of the Cease-Fire Attack Trojan, as with many things, have been seen before; but the combination is unique. The biggest is the “orthogonal” nature of the attack itself. It’s quite common to have a “parallel” attack: the incoming vector uses the same brand and connotative space as the fake sight (e.g. someone spoofs an eBay email for an eBay credential or PayPal or a bank or anyone). In this case, someone has fraudulently created a fake CNN website to get to the financial credentials, by-passing some users’ “internal alarms” when they get something from a source they know is sensitive. We at RSA were able to spot this “up-stream” and “down-stream”, so I think we actually saw this before everyone else. To add some color to this, I need to define three “areas” that this might be detected:

  1. Traditional detection: this is where the AV vendors and malware samplers look (and we have partnerships with companies there for that element, and I’ve been a malware researcher, so this “traditional” method is well understood)
  2. Then we have what I’ll call “up-stream” which is where the network detectors and anti-phishing companies (of which RSA is one) can see the phishing emails in the wild.
  3. Finally, we have the “down-stream” possible detectors: those who see the “cash-out” of a Trojan

So what did we do at RSA?  Well, we saw the “down-stream” behavior getting ready to execute.  They were expecting an influx of victims, were talking and debating it and were discussing the test runs and launch criteria. I hope this adds a little light to how we discovered the attack.

- Sam Curry
Identity of SSL stealter trojan

Since the blog states that the trojan is not a new piece of malware, do you guys know how the antivirus vendors (like Symantec) detect the SSL stealer trojan as?

- Adlai
Response to Identity of SSL stealter trojan

The Cease-Fire Trojan is a piece of malware so the anti-virus companies do not detect it. The ecosystem for the delivery of the malware, harvesting of the information it collects, and cashing out to monetize the stolen credentials is a much bigger problem than malware itself. However, in this case, we were able to detect the Trojan very early and shut it down each of the two times it was launched.

We always advise that you contact your anti-virus vendor to inquire about the latest advancements in online protection as this is not a specific part of the RSA business.

- RSA FraudAction Research Lab
Online Fraudsters Prey Upon the Media and Public Interest in Current Events to Launch Cease-Fire Trojan Attack

Do you think we can actually see the URL I would like to black whole it from anyone in my network going to it.

- stunder@gmal.com
Response to Online Fraudsters Prey Upon the Media and Public Interest in Current Events to Launch Cease-Fire Trojan Attack

We sometimes blur the addresses of malicious website URLs in order to prevent consumers from accessing infected websites, either intentionally or unintentionally. Also, as soon as RSA shuts down attacks, the URLs are no longer valid. We value the security and privacy of everyone, even though what we blur out makes it even more interesting.

- RSA FraudAction Research Lab

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication