Architecture, Network security, Strategy, Vulnerability management, Threat intelligence, Threats, Malware

Osama bin Laden killing prompts malware, Facebook scams

May 2, 2011
Visitors to the website of man who lives in Pakistan and who tweeted about hearing loud helicopters during the U.S. military operation to kill Osama bin Laden may have downloaded rogue anti-virus software onto their PCs, according to researchers at web security firm Websense.

The affected site belonged to Sohaib Athar, or Twitter user “@ReallyVirtual,” an IT consultant based in Abbottabad Lahore, Pakistan.

Athar, who, according to his Twitter biography, is “taking a break from the rat race by hiding in the mountains with his laptops,” tweeted about hearing helicopters and explosions during the secret Navy Seals mission on Sunday that ended in the death of the al-Qaida leader.

Athar's website, which is linked from his now heavily followed Twitter account, was compromised to serve malware that was detected by just nine of the top 41 anti-virus (AV) products, Patrik Runald, senior security researcher at Websense, told SCMagazineUS.com on Monday.

As of around 11 a.m. EST on Monday, the site appeared to have been cleaned, Runald added.

It is not known how the site was originally infected, but it was running an out-of-date version of WordPress and possibly contained vulnerable plug-ins, Runald said. The site may actually have been infected for weeks or longer.

“I think it was infected before he became a Twitter celebrity," Runald said. “The bad guys just got lucky, to be honest.”

The site was compromised to host Windows malware delivered by the Blackhole exploit kit, which is up for sale on the black market, he said. If successful, the malware would appear to run a system scan and claim to find  problems with the systems' hard drive and memory, then prompt the user to purchase software to fix the nonexistent issues.

Meanwhile, other attackers have also jumped to exploit the death of bin Laden through black hat search engine optimization tactics and Facebook scams, researchers said.

For example, criminals have “poisoned” search results in Google Images for queries such as  “Osama Bin Laden” and “Osama Bin Laden body,” so that some of the resulting images lead to malicious pages, Tim Armstrong, malware researcher at anti-virus firm Kaspersky Lab, told SCMagazineUS.com on Monday.

Clicking one of the affected images redirects users to a malicious domain distributing rogue AV software.

Criminals generally use automated methods to quickly and easily position search terms related to newsworthy topics, he said.

“We saw [malicious search] results within four to five hours of the official news hitting the wire,” Armstrong said.

Meanwhile, dubious links spreading on Facebook promise to offer videos of bin Laden being killed, researchers said. Clicking on them may lead users to sites where they are instructed to enter personal information or fill out surveys that are part of affiliate scams.

prestitial ad