As so many other sites have called it, the news you don’t want…
Those who work in IT already know (or at least they should already know) about the waves of spam pretending to be from legitimate news sites such as CNN, BBC, or MSNBC. These messages look real, the news in them might even sound real (although some of them have bad grammar), but they are malicious.
The current iteration has a subject line starting with “msnbc.com – BREAKING NEWS”. If you get these messages, just delete them. Don’t click on anything in the messages, just get rid of them. Hopefully your spam filters are catching them, but if not, DELETE!
The ones pretending to be from CNN had subject lines that were similar or said Top10 ______. Again, delete these.
Some of these messages would open a pop-up if you viewed the message claiming that you needed to install something to view the news. DO NOT INSTALL. In fact, don’t click on the pop-up at all. Instead, immediately delete the message. The pop-up will go away.
If you click cancel on the pop-up, you’re stuck. Once you activate that pop-up by clicking, you are stuck in a loop of clicking the X button to close it or clicking cancel. Neither of which work. At this point, you need to reboot. NEVER CLICK THE OK.
For those in IT, you may want to consider an IDS signature that watches for downloads of adobe_flash.exe. If your organization has a SIEM product, I’d also recommend going a step further and configuring it to alert any time that IDS signature triggers, and have it also email your security team.
For instance, create a Snort signature to look for HTTP GET requests for adobe_flash.exe. Number your signature 10000001. Now, from here I’d go to the SIEM, say Intellitactics Security Manager, and configure alerting for this signature.
I would create a correlation for this that simply watches for my new Snort signature ID number and creates an alert for each one of them it sees. I would have that correlation give the alert a priority of 99 (I want to make sure they get attention quickly). Also, have the correlation set a unique alert id. Let’s use 99000001.
From there, I would configure Alert Notifications and setup an email notification. I would make the notification look for the unique alert id 99000001 and generate an email for everyone of the alerts (the hope is there won’t be a lot of these).
Now you’re logging what’s happening with your IDS, passing those logs to the SIEM for long term storage, near real-time correlation, and investigation.