Hackers step up game, spread malware using Bin Laden bait

Facebook scams also ramp up as criminals exploit major news event

Hackers today stepped up their use of Osama Bin Laden's death by shoving malware into PCs when users fall for phony claims of photographs and video, security researchers said today.

"It's not really surprising," said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. "We were expecting to see related malware."

The shift to direct attacks follows Monday's campaigns to push fake security software, dubbed "rogueware," to both Windows and Mac users.

Earlier today, F-Secure warned users to steer clear of spam that included the "Fotos_Osama_Bin_Laden.zip" archive attachment. The messages claim the file contains photos of Bin Laden after he was shot and killed by U.S. special forces during a 40-minute firefight in his compound in the northern Pakistani city of Abbottabad.

Running the resulting Windows executable file doesn't display photographs, but instead launches a new banking Trojan horse belonging to the three-year-old "Banload" line, said Hypponen. The malware sniffs out online banking sessions and then tries to redirect payments to other accounts.

Other security companies have also snared malware packaged with Bin Laden spam.

Today, Symantec said it had found email messages touting photos and video of the U.S. attack's aftermath. The messages, which so far have been written in French, Portuguese and Spanish, lead users to a fake CNN Web site where they're told to download video.

As in the F-Secure instance, the download is, in fact, a "dropper" that in turn downloads malicious code to the Windows PC.

Bin Laden scams are also spreading quickly on Facebook, Hypponen and others said.

The latest scam plays on the reputation of Wikileaks, the organization that has leaked thousands of U.S. military and diplomatic messages during the last year.

"Osama is dead, watch this exclusive CNN video which was censored by Obama Administration due to level of violence, a must watch," claims the Facebook spam. "Leaked by Wikileaks."

According to U.K.-based Sophos, the Facebook messages don't play video of the al-Qaeda leader's death, but actually dupe users into copying and pasting a line of JavaScript into their browser's address bar.

The Bin Laden Facebook con dupes users into spreading the scam. (Image: Commtouch.)

"Any time you paste a script into your browser's address bar, you're effectively running code written by the scammers without the safety net of protection," said Graham Cluley, a Sophos senior security technology consultant, in a post to his company's blog Tuesday. The JavaScript shares the bogus news of the video with all of a user's Facebook friends by posting it to their "walls."

The criminals make money, said security firm Commtouch, by eventually shunting to users a marketing page that generates pay-per-click revenues.

Hackers and scammers are able to rapidly ramp up attacks whenever a major news story breaks because they're simply tweaking existing malware or schemes, said Hypponen. And some of their processes are even automated.

"The [search engine poisoning] is fully automated," Hypponen said, referring to the tactic where hackers and other cyber criminals pollute search engine results with pages containing links to malicious sites.

"They automatically generate pages with worthless content, or sometimes with no content at all," said Hypponen. "This works especially well when the news hasn't yet been covered by a normal site. It's possible for anybody to get their page within the top 10 [results] by being fast enough."

Hypponen expected that cyber criminals will continue to exploit Bin Laden's death for some time to come. "They usually keep trying longer than it actually works," he said. "Most people won't be falling for [such scams] for very long, but the video might work for a while, because I wouldn't expect the U.S. to release a real video."

Also part of the Bin Laden campaigns, experts said yesterday, was the first attempt by online crooks to push Mac-specific rogueware to Apple's customers.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurityf-secureMalware and Vulnerabilities

More about AppleCNNCommtouchFacebookF-SecureMicrosoftNNSophosSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts