Scammers exploit bin Laden news in search, Facebook

Within hours of the news that Osama bin Laden had been killed, malware was found on sites optimized to show up on Web searches related to the event and in scams on Facebook.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
Results in Google image search in Spanish related to the death of Osama bin Laden were hiding malware, Kaspersky Lab says.
Results in Google image search in Spanish related to the death of Osama bin Laden were hiding malware, Kaspersky Lab says. Kaspersky Lab

Online scammers have been quick to capitalize on what will undoubtedly be one of the most significant news events this year: the death of Osama bin Laden.

Within hours of the news that the al-Qaeda leader had been killed by U.S. forces on Sunday, malware was found on sites optimized to show up on Web searches related to the event and in scams on Facebook.

Also, the blog site of a Twitter user based in Pakistan who now has more than 66,000 followers and who was posting tweets as the attack on bin Laden was happening, apparently was popular enough that his blog site was compromised and malware was embedded on it, according to a blog post from security firm Websense.

Visitors to the blog would not immediately have noticed anything as the malware was installed as a drive-by download without the visitor having to do anything, said Patrik Runald, senior manager of security research at Websense Security Labs. The malware searched for vulnerabilities in Internet Explorer, Java, and Adobe Reader that have been patched by the vendors, he said. If a hole was found, a display would pop up advertising "Windows Recover" a fake system scanner for Windows that tries to trick people into paying for software they don't need, according to Runald, who said it is unclear how long the blog was compromised before it was cleaned up around 8 a.m. PT today.

Around the Web, image searches and items labeled as video are proving particularly problematic as people are drawn to visual images of the terrorist leader. At least two domains were found to be serving up fake antivirus rogueware called "Best Antivirus 2011" on searches for "Osama bin Laden body" on a Google image search in Spanish, according to a blog post by Kaspersky Lab.

Another troublesome site involves a graphic doctored image of bin Laden. A Spanish language site was found to be displaying a photo that is supposed to be a shot of bin Laden after he was killed, accompanied by a news story about his death and what looks like a video. When the purported Flash Player window is clicked on, a message is shown prompting the visitor to update a VLC media player plug-in to view the video, Zscaler said in a blog post. Instead, an adware tool known as "hotbar" but labeled "XvidSetup.exe" is downloaded, the cloud security provider warned.

The scammers aren't dumb, they know what topics people are interested in. The phrase "Osama bin laden dead" was the most popular search on Google today in the U.S., according to Google Trends.

Spammers were quick to target Facebook, too. A spam message was being circulated that said: "Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!" or "2 Southwest Plane Tickets for Free - 56 Left Hurry" and it included a link to a short URL service, according to another Kaspersky Lab blog post.

When the link is clicked the user is prompted to post a message to get more information on the offer. Posting the message keeps the scam spreading, while the user is then redirected to another page. "The scheme of this scam is to keep redirecting you to pages where you have to enter information such as email, and eventually get money for all new users or clicks," Kaspersky said.

A Websense blog post said purported bin Laden video links are cropping up all over the Web, but none of them are legitimate as there is no video available of the attack.

Researchers at security provider Imperva found instructions for how to launch a "viral" scam on Facebook in a black-hat search engine optimization forum on the Web. ""Monetize This NOW! Just a tip to the newbies starting out," it says. First, create a Fan Page with a title that will grab people's attention, start inviting people, and watch it go viral, are the instructions. "You'll probably get 90 % USA FB users," the scammer how-to said, adding that the scammer should save it to promote a product later.

"5/1/2011 - This is one of those rare opportunities that can build you a great list and a a couple of zeros in your profit. Use it while the news of Bin Laden killed by US forces is hot," the post says. "I just started one and it had 600 likes in 2 minutes."

In one exploit, Imperva found a Facebook "like" clicking scam hidden in a video on a malicious Spanish language blog.

F-Secure has also uncovered a banking trojan being delivered via spam e-mails that purport to show photos of bin Laden but instead monitor online banking sessions and steal money.

Web surfers should be cautious when searching for information on this or any other big breaking news and go directly to the Web sites of reputable news sources. Security and other software (browsers, plug-ins, and operating system) should be kept up to date so vulnerabilities are patched. And ads on Facebook that are too good to be true, are just that.

Updated May 3 at 10:42 a.m. PT with news about banking trojan surfacing in e-mail and at 11:50 a.m. PT with news of blog of Twitter user who live-tweeted the operation found to be serving up malware.