Bit9

I've been wondering what's up with all the "CNN Top 10 News" spam. I was happy top read that someone has spent the time investigating it.

It turns out that compelling headlines led victims to infected web site which, not surprisingly, were prompting you to install an infected Flash player. So far not very exciting.

What strikes me is the following: isn't Flash just a perfect ruse? There are multiple versions of it, Flash, Shockwave, Flex, AIR, plus several retired players. Not all require a free new player to view content, but they all build a complacence saying, if it says that it is Flash and seems benign, just install it and be done with it.

So as a security professional, you scream gotcha. Installer was most likely not signed, and if signed, it was not signed by Adobe Inc, as that would certainly make all the news outlets at the same time. It was a user mistake, hence not so exciting. Social trickery takes advantage of unsophisticated users, making this into a laughable matter, into a not very sophisticated attack.

Yet we are dealing with very fair questions. How many people know that Flash is made by Adobe? Wasn't it made by Macromedia until not so long ago? How many people understand why Flash is installing in the first place? How many people know what Adobe is? How does an average person know for sure what should really be installed on their machines and what not?