Osama bin Laden scam spreading on Facebook

Criminals are wasting no time in harnessing the undeniable impact of the news of Osama Bin Laden’s death to bait familiar old traps on facebook.

I just got a call from, let’s call him “a concerned family member”, after he had been taken in by a facebook “chat virus”.

The infection chain started with a chat message from a friend, the message read “watch the video of them killing osama bin laden live! ” and was accompanied by a link. The message began with the victim’s real name giving it added credibility.

chat

The link leads to a page that may look familiar to those of you who keep up with this sort of thing, but as my br… um… concerned family member can attest, it still fools the unwary.

Bin-Laden

The instructions on the page inform the unfortunate mark that in order to view the supposed execution video, they need to paste the “video code” into the address bar of the browser. This may seem an unusual request in the context of a blog post, but when the recommendation comes to you in a live chat message from a friend you know and trust, your spider senses may not be tingling quite so much.

The code that you are pasting into your address bar is a JavaScript that simply calls a second JavaScript file hosted on a compromised but otherwise innocent website. The second file enumerates all your friends and sends them chat messages, creates an event to which all your friends are invited and continually updates your facebook status. Meaning that the video link is immediately posted to your facebook wall to entice other unwary facebookers and spammed out in personalised chat messages and event invitations to your nearest and dearest (well, your Facebook friends anyway).

The tactics used are exactly the same as in many of the “Profile Spy”, or “See who views your profile” scams that do the rounds so often, in fact the offending JavaScript file in this instance even contains the line “var eventdesc = ‘Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! -” suggesting that this represents nothing more than a rebaited trap.

But hey, there’s an old saying in Tennessee – I know it’s in Texas, it’s probably in Tennessee – that says, fool me once, shame on … shame on you. It fool me. We can’t get fooled again (with thanks to GWB)

What do we learn from this? I guess the simplest lesson is, if you receive an unsolicited link from someone, even someone you know, check with them first before you click. You never know, you could be doing them a favour and letting them know they have been duped. And NEVER paste ANYTHING that is not a URL into your browser address bar.

It is also worth noting that this is not the only Osama scam currently spreading on Facebook, I also spotted many iterations of a second attack that uses clickjacking in the form of a bogus CAPTCHA to fool users into posting the bait to their own walls.
captcha

As Solutions Architect for Trend Micro, Rik Ferguson interacts with CIOs from a wide variety of blue chip enterprises, government institutions, law enforcement organisations. Recognised as an industry thought leader and analyst, Rik is regularly quoted by the press on issues surrounding Information Security, Cybercrime and technology futures. With over 15 years experience in the IT Industry with companies such as EDS, McAfee and Xerox Rik’s broad experience enables him to have a clear insight into the challenges and issues facings businesses today.

  • After all of those things about his death circulating around, this one is a breather. A good article to share with everybody going crazy and carelessly engaging themselves in harmful environment.