Don’t fall for "CNN Alerts: My Custom Alert" malware spam

Malware spam emails claiming to be from CNN started showing up on Monday, Aug. 4. They are dangerous.

With a subject line, “CNN Alerts: My Custom Alert” or “CNN.com Daily Top 10,” these legitimate-appearing emails had message bodies with messages like, “Coup demonstration in Mauritania” or “Detroit mayor ordered jailed after bond violation.”

Most of the links in the spam email go back to CNN… except for the one that says “FULL STORY.” That’s the baddie. If you click the link, it takes you to a real-looking Web page that pops up a box asking you to install the latest version of the a video player (see picture) in order to see the news report.

If you agree to install the file, congratulations, you’ve just installed some malware. If you decline, the pop-up comes back asking over and over again, until you either install the malware or force-quit your browser.

Since the initial appearance, I’ve received hundreds of these messages, with increasing sophistication. Be advised, don’t be fooled. Don’t click it, don’t install it.

CNN acknowledged this spam on its “Behind the Scenes” blog on Friday, Aug. 8. That’s good. However, the bland warning doesn’t go far enough by telling viewers that the email isn’t just annoying spam, but that the link tries to install malware. CNN also doesn’t tell you what to do if you’ve been suckered. Here’s the message:

Fraudulent spam about CNN

Earlier this week, a spam message purporting to be from CNN began circulating the Internet. We decided to blog about this to alert those of you who hadn’t yet received it to be on the lookout for it; and also to assure those of you who did receive it that the message was NOT, in fact, from CNN.

As you may know, spammers often disguise or forge the source of their e-mail to give recipients the impression that the message derived from another system, especially one tied to a recognizable brand. In this instance, the spammer chose to use the CNN brand.

The message, claiming to contain CNN’s Top 10 news stories and videos of the day, is fraudulent and did not originate from CNN. If you have received it, we suggest that you delete it from your mailbox. Further, we recommend you delete any e-mail message from your mailbox that you believe may be illegitimate.

Thanks to all of you out there who alerted us to the existence of this spam purporting to be from CNN.

Posted by: CNN Public Relations

Update 8/13: Now I’m seeing the same type of messages coming through labeled from MSNBC.

Z Trek Copyright (c) Alan Zeichick