Massive faux-CNN spam blitz uses legit sites to deliver fake Flash
More than 1,000 hacked sites serving up phony update; Adobe issues warning
Gregg Keizer
August 6, 2008 (Computerworld) More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today.
The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a newer edition, said Sam Masiello, vice president of information security at Denver-based security company MX Logic Inc.
One distinguishing feature of the attack, Masiello added, is the endless loop it uses to frustrate victims. If user clicks "Cancel" in the dialog that prompts for an update, another pop-up appears, said Masiello, that tells the victim that they have to download it to view the video. Clicking "Cancel" there returns the user to the first dialog.
"It puts you in this perpetual loop, so your only options are to kill your browser [session] or be browbeaten into installing it," said Masiello.
MX Logic has detected more than 160 million spam messages in the fake CNN.com attack in the past 48 hours, he said. "It's not slowed down at all," Masiello said.
Yesterday, Bulgarian security researcher Dancho Danchev reported finding more than 1,000 hacked sites hosting the fake Flash Player update.
Hackers are getting brazen and apparently aren't afraid to disclose the addresses of the sites they've compromised by embedding them in the spam they're spreading, he said. "Malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the Web," Danchev said in a blog post on Tuesday.
Adobe Systems Inc. is aware of the malware posing as its Flash Player, and on Monday it warned users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than Adobe.com," said David Lenoe, the company's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc.) -- if you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
People who approved the download of the bogus flash.exe file instead received a Trojan horse -- identified by multiple names, including Cbeplay.a -- that in turn "phones home" to a malicious server to grab and install additional malware, said Danchev.
Masiello said MX Logic is still investigating, and it has not been able to pin down what malware -- other than the fake Flash Player -- was actually installed on victims' PCs.

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9111858

@Bob
I have to say moving away from postini might be the best thing. I've seen no improvement since April things seemed OK from about mid Jan to start of April then got worse. But as I haven't been analysing things in any depth like mikeb and others that is only my gut instinct, based on my experience with the levels of spam I've had, which is small in comparison to others, and the many similar situations that others have posted here on the forum.

Quote from: Bob

Out of interest, what would peoples' thoughts be if we were to move away from Postini and try another spam solution?

That would be a knee jerk reaction and a bad choice, this is not a postini problem, as I said my postini account I have through my employer is blocking all these, so the reason why these messages are being delivered to PN users is a PN self inflicted problem. Let's address that problem shall we?
SW.

Quote from: spraxyt

Thanks, that's useful information. Are you able to run the filter retrospectively on your Mac Mail Inbox to check if you have any older (legitimate) mail with the Xfilter header? David

I've now 'forced' Mail to check all my inboxes/mailboxes on my computer and the filter caught nothing else.
Personally I'd be happy for anything marked 'X-Pstn-Xfilter: y' to be directed to our Spam folders. Enough legitimate stuff gets marked Spam 1 and gets sent there after all, and I can whitelist any genuine addresses if I wish.

I second godsell4 - please do not move away from Postini, it has been extremely effective and has dramatically improved the spam situation with all my customers.  The level of false positives is extremely low and normally confined to what most people would define as spam anyway (Special Offers, Sales-led newsletters and similar marketing drivel).
Please Plusnet, fix the problem where it appertains to you - Postini itself is fine.

Echoed.
Shame that unsubscribable stuff gets marked spam because people are too lazy to unsubscribe, but I can live with that. Postini seems to remove most, if not all, of the real rubbish we used to get.

And I also second that (or third it).  I have fewer problems since postini than before and some of the problems seem to have been a result of plusnet wanting to fiddle with things.  Sometimes this was a result of plusnet being too responsive to a few of it's members.
bobp

does any one know how to set up the filter on Thunderbird to look at Headers?, it seem a bit deficient in parts (I am using it in IMAP to prefilter) and then download to OE

Have to say that before Postini, I had about 1000 Spam sitting in my Spam folder. Now I have about 160. There are very few false positives or negatives. 
At work, I have an Orange account. Despite their Spam filtering, I get more Spam than genuine e-mails in my Inbox, mostly (for some strange reason) with French headers. 
Although I have to say, they are now identifying the CNN ones as Spam. What Plusnet needs to be able to do is block an obvious, newly identified attack by the words in the header immediately.
I've not forgotten last Xmas, when a sustained attack suddenly blitzed our Inboxes
(see eg http://community.plus.net/forum/index.php/topic,58788.0.html ) 
I am still querying why it is worth reporting wrongly identified Spam / Not Spam, as it is clear that Plusnet are unable to actually do anything except open discussions with Postini.

Bob,
I think treating the X-pstn-xfilter: y  header to be spam is a good idea.  I've not had any false positives as yet, and it's been 100% successful in identifying the latest batch of CNN spam.
We're now at a situation where Postini is performing adequately, and this change will allow Plusnet to mirror Postini's fast reactions with a global pattern match rule.  I think that you should be looking at alternatives all the time but now is not the appropriate time to jump ship without properly testing alternatives.
B.

I don't think Postini should be ditched as a knee-jerk reaction unless there is something better. It is very good at detecting spam, but I have had a LOT of false positives. I now have over 100 entries in my white lists and I am still adding more even now. Adding to the lists is a clumsy and time-consuming process. I don't understand why Postini is so poor at passing on mails from genuine list addresses, it seems to be biased against mails going to multiple recipients. Even some mails from subscribers to my own PlusNet mailing lists gets caught as spam sometimes.
It just needs a few tweaks, please sort it out.....
BTW I am still getting the CNN mails today, lots of them.

Any idea when plusnet is going to own up to their complete and utter lack of care for customer service?
I left plusnet around a year ago (after almost 10 years) but kept my email account. I'm now with adsl24 and have a uni based email address, neither of which has had a single instance of this new email and very rarely do I ever get spam from them. There isn't a day goes by that I don't receive spam through plusnet.
I don't care what methods plusnet uses to remove spam, the fact is, it should just do it.

ps. I received 2 instances of this email while typing this message.
2 seconds later... 5 more!

When PN were thinking about using an external service to help stop spam I mentioned on the forum that my previous ISP (Demon, if I'm allowed to mention another ISP here) used such a service. I think I had the name then but can't remember it now. That service seemed perfect from my point of view. I got no spam and I never knowingly lost a genuine email. Yet I was running a small home business and had to receive customers' and suppliers' emails from all over the world, from both individuals and companies. PN said the service was too expensive. I have to admit that my PN account is a lot cheaper than the one at the other ISP, but I wonder how much extra it would cost per account to use that better service?

I was so relieved to find this thread as this Daily Top Ten which seems to increasing to hundreds is flooding my email.
I thought there might be some way of blocking the header as obviously it comes from loads of different addresses. But apparently not
I did not not risk allowing in into Outlook
I t has happened last 3 or 4 days.
Recently I have been pretty free of spam - there is no other spam getting through.
So I felt that this might be a new phenomenon and a sinister one.
I use CNN regularly so I knew they would not send this type of email .
Whoever is doing it has big ideas .
I hope it gets stopped  soon
Before I came here  i pent some time getting muddled with Plusnet email help -
Glad I came here. We need to be updated about this sort of thing because people are at serious risk from it.
Cameron