Starting at about 6:50am MST this morning we started to see a new spam outbreak alleging to be from CNN.  Emails will appear to be from several different senders such as "CNN News Centre - Headline News", "Media News", and "News Centre" with addresses such as support@cnn.com and hot@cnn.com.  The email that our Threat Operations Center has observed thus far is centered around the current Israel conflict in Gaza. 

Here is a sample message of what we have seen:

Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here were graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.

Proceed to view details:

hxxp://edition.cnn.2009.companies.world-3lqpkmhos.gazaisraelbbc.com/israel-gaza.htm?/completeserv/VIDEO=abbbflubhkg4w02


2009 Cable News Network. A Time Warner Company. All Rights Reserved.


The URL being linked to is changing from message to message , however the "edition.cnn.2009" at the start of the URL appears to be static through the samples we have observed thus far.  Also, the page "israel-gaza.htm" has been linked to in all samples we have seen.

Volumes started out fairly modest at about 50 instances seen within the first 45 minutes, but started to pick up pace very quickly at around 8am MST where we saw another 1,300 within about 10 minutes.  We are continuously collecting volume numbers and will post more updates as needed.
If the link in the email is clicked, the user is brought to a fake news page like the following:




Some sample subject lines include:
Hamas launching rocket war after Gaza evacuation
Hamas Goads Israel into War
Israel's War Crimes
War in Gaza: while Israel and Hamas fight

This tactic is similar to the CNN fake news update that we originally saw back in August 2008 where an email purporting to be from CNN was sending users to fake video sites where they were then directed to download a video codec in order to watch the video.  The video codec is actually malware. 

Due to the effectiveness of the previous CNN outbreak (our Threat Operations Center intercepted about 835M fake CNN messages during a two week period back in August) and the worldwide interest in what is currently happening in Gaza we felt it was appropriate to send out this threat alert to raise awareness in this campaign that appears to be quickly picking up steam.

We will continue to actively monitor this tactic for changes both in volume and content and will report on those as they surface.


**** UPDATE 1/8/2009 2:00pm MST *** After monitoring this threat for the past several hours, peak volumes have so far occurred during the 10am MST hour where our Threat Operations Center observed just over 80,000 of these messages. 

Current volume graph:



It also does not appear that the domains being used are fluxing across many IP addresses.  Of the domains that we have observed being pointed to by these CNN emails, they have been pointing to 5 IP addresses.  Those are 99.135.187.5, 173.21.75.102, 75.45.181.113, 91.123.159.112, and 98.141.74.204.  We will continue to monitor in the event that this changes.

The fact that volumes have dropped from their peak is not to say that this tactic is waning.  Recall that during the original CNN outbreak back in August it took 3 days for volumes to peak so it is still possible that as developments continue to evolve in Gaza that additional variants of this email and malware may crop up.  Additional updates to follow as they become available.

*** UPDATE 1/8/2009 3:20pm MST *** I stand corrected on my previous update.  The domains being used to host the fake video codec downloads are indeed fluxing, albeit not very quickly.  Current  volumes are still holding steady at about 15,000 per hour.