Bogus alerts purporting to be from CNN are luring victims to over 1,000 hacked websites pushing fake, malware-infested Flash Player software, Internet security watchdogs have warned.

Alerts pretending to have been sent from CNN are spam that lures wibblers to over 1,000 hacked websites.

The spam emails contain links to what are claimed to be CNN’s Top 10 news stories and video clips.

However, clicking on any link launches a dialogue saying that the user has an obsolete version of Flash Player and needs to download an updated version, according to Sam Masiello, VP of MX Logic, a Denver security company.

MX Logic detected more than 160 million fake CNN spam messages transmitted within 48 hours earlier this week.

The dialogue goes into an endless loop if the user clicks the “Cancel” button to disallow the update, forcing victims to either kill their browser session or accept the download, he said.

If the user accepts the download of the fake Flash Player update, they don’t get an updated version of that but instead receive a Trojan with any of several names, including Cbeplay.a, which then “phones home” to a malicious server to download and install yet more malware, according to Bulgarian security researcher Dancho Danchev.

On Tuesday, Danchev reported having discovered more than 1,000 hacked websites hosting the fake Flash Player malware.

Adobe is aware of the malware masquerading as a Flash Player update and it has warned users in a company security bog entry not to download updated versions of Adobe software from anywhere other than its own website.

Security researcher Dan Kaminsky has delivered his much-anticipated report on the DNS flaw he discovered earlier this year.

Kaminsky explained to a crowd at the Blackhat conference in Las Vegas that the flaw he uncovered could be used for attacks far more complex and sinister than just phishing operations.

The researcher began his presentation with an update on the patching operation. He noted that hundreds of millions of users have been protected through updates by vendors and ISPs, and the majority of Fortune 500 companies had deployed patches for their servers as well

The vulnerability centers around the way the domain name system looks up information linking URLs to IP addresses. In short, the flaw allows an attacker to “poison” a given DNS server and redirect traffic to the malicious site.

The vulnerability has mostly been discussed for its possible use in phishing attacks. However, Kaminsky warned that it could also be used to compromise mail servers, allowing the attacker to intercept and redirect messages.

Kaminsky also admitted that the suggested solution to the problem, randomizing the source port, may not be a permanent solution. He said that the solution is more of a “stopgap” to stave off attacks until a better defense system can be developed.

He also warned that the DNS flaw could be the first of many potentially catastrophic flaws found in coming years, as more commonly used services and systems are probed for fundamental weaknesses.

“Even with DNS fixed, there are other scenarios in which unencrypted IP traffic is lost to an attacker,” Kaminsky noted in the presentation.

“The attacker is capable of way more than he should be.”

The BBC has given one lucky thief the opportunity of a lifetime by becoming the latest British institution to find itself at the centre of a loss of data scandal.

The thief, who swiped a laptop and some data sticks from a BBC contractor’s car, could be surprised to learn that the sticks contain the details of hundreds of children who had applied to take part in a cookery show called Gastronuts.

As if it wasn’t bad enough that the data contained personal details including names addresses and phone numbers, it also gave full details of when the children, and presumably the rest of their families, would be away on holiday. Score!

The BBC has sent letters to those parents affected by the theft but it’s not clear whether they will be sending someone around to turn the lights on and off and bring the mail in.

theinquirer.net (c) 2008 Incisive Media