Last Tuesday, a new spam attack was launched via email. This harmless-looking message claims to contain top 10 lists from CNN.com, but when a user clicks on the link in the email, a pop-up tells the user that they need to install the newest version of Flash to view the list. The pop-up doesn’t allow the option of canceling the installation and instead traps the user into a neverending loop until the frustrated user either closes the browser window or clicks ”install.” Those who click install get to deal with a Trojan horse that contacts another server to get still more malware and install it. The Trojan horse goes by many names, including Cbeplay.a, and security professionals are still having trouble figuring out what malware is indeed installed when the process completes on a user’s system. 

According to security company MX Logic Inc., the spam attack traffic peaked on Thursday, with 11 million messages per hour. Even as the numbers have gone down slightly since then, it’s still in the millions of messages per hour. Security pros say that more than 1,000 hacked sites are hosting the fake Flash update, and they also say that hackers have gotten so cocky that they don’t bother trying to hide the sites they’ve hacked. The latest news is still worse: the spam has mutated since the news of the message first broke, claiming to be a CNN “MY Personal Alert” instead of a top 10 list and linking to several malware sites and filenames instead of just one. Some users even say that they’ve received the spam with subject lines that actually reference real articles on CNN, adding to the legitimacy of the message. The links in the email always lead somewhere that insists on a Flash upgrade, though.

Meanwhile, Adobe Systems Inc., source of the real Flash Player, warned people not to click on anything that didn’t come from Adobe directly. They pointed out that ALL software updates should originate with the company and not with a third-party site, so any questionable links should be avoided. If you want to be sure you’re downloading a real, non-malware update, go to the company’s website directly and look for upgrades to download from there. This may seem like too little, too late in terms of security warnings, but it’s one of those things that seems like a no-brainer to IT people but needs to be said (and said more than once) to the average email user.  

The lesson is the same as we’ve talked about here before, regarding email, phishing and other spam attacks: Don’t click on a suspicious link or URL that you get in your email. Put your mouse over a link to see where it really goes before you click it. Have a healthy dose of skepticism when something you didn’t expect arrives in your inbox. And if all else fails, contact the company that the message claims to come from, just to be sure. Don’t just blindly click whatever you’re sent, or you’ll learn some hard lessons (and get some pretty major headaches in the process).

Sources for this article: IT World, ComputerWorld, Techspot, MX Logic