CBC not CCA secure

I always get stuck at those kind of exercises in my Cryptography class. I just don't understand how should I build these scenarios of "sending m1 and m2 and then somehow telling if it was m1 or m2 etc..." attacks. Can someone explain to me in simple terms how can I describe a scenario for this exercise: "Show that the CBC mode is not CCA-secure by describing an attacker A and name its advantage."

And please any Book suggestions to learn those attacks, because I understand the theory, but when it comes to practice, I get stuck.

The CPA security game involves guessing which of m1 and m2 the encryption oracle encrypted and returned as a challenge. Adversary picks both messages. They win if they do better than 50:50 random guessing. In simple terms, this means the adversary can distinguish between messages after they're encrypted.

CCA is the same but gives access to a decryption oracle that decrypts anything but the challenge value. Challenge values are obviously blacklisted or the adversary just asks for a decryption and then they know whether it was m1 or m2 and win trivially. CCA insecurity means the attacker can learn information about one encrypted message by decrypting another different chosen ciphertext.

CBC is malleable

• bit flips in the IV flip bits in the first plaintext block
• bit flips in ciphertext flip bits in the next plaintext block and randomise that plaintext block

So the attacker can decrypt blacklisted messages by flipping one of the IV bits, submitting that to the decryption oracle, and flipping the same bit in the first block of whatever comes back. This gets them around the blacklist and wins the game with 100% probability. The attacker has learned the challenge ciphertext by decrypting a related message.

In real applications malleability has real consequences, attackers can flip bits in the first block for free and the nth block at the cost of trashing the (n-1)th block.