by Barracuda Labs
Barracuda Labs has found compromised sites in the wild which present unwary visitors with an official-looking Adobe Flash update page. Even though this page looks convincing, downloading this ‘update’ only provides the user with a nasty piece of malware that McAfee currently classifies as Downloader-CEW.f.
We recommend getting Adobe Flash updates directly from the source – http://get.adobe.com/flashplayer.
How it happens
Performing a quick search for a breaking news topic, such as LeBron James opening his own Twitter account, starts the process. Searching for “LeBron James Twitter” gives the highlighted result a rank of 62.
Clicking on the highlighted result sends the user directly to the fake upgrade page. Note that the actual domain is registered in the Cocos Islands. Also note that the dialog offers Adobe Flash Player 11, while (at this writing) the current version of Flash is 10.1.
Another sign that this dialog box is bad news is that none of the buttons close the dialog. Clicking both “Cancel” and “Details” implores the user to click “Ok” (which is not a button name). Only “Continue” offers the user a path forward, to a Windows Security Warning dialog.
If the user does run the file, it will download a background clicker that uses the Internet connection to generate fake Internet traffic. While this activity goes on unseen, additional scamware and spyware programs are downloaded, as seen below.
The unsuspecting user can be compromised in no time, which is why it is recommended to get Adobe Flash updates directly from the source.
Barracuda Web Filter and Barracuda Purewire Web Security Service customers are protected from these attacks.