I suppose this was inevitable. The reported death of Osama Bin Laden is just too good a lure for cybercriminals and scammers to pass up. We certainly anticipated this and have been tracking it since the first reports came out of Washington.
We have seen variations of what I can only call “expected lures”:
- See video in which Osama bin Laden is shown holding a newspaper with today’s date and disprove his possible death reported by OBAMA.
Beware of any verbiage, subject lines in emails, or links via Facebook or Twitter that contain words like these–as they will almost certainly get you into trouble. Make sure your security software is fully updated and be sure to use safe browsing software as well.
Stay safe out there and we will keep you posted!
Shortly after I posted this blog some of the other researchers at McAfee Labs forwarded me some additional data (shoutouts to Craig, Eric, and The-Funny-Hatted-One!).
Here is an example of what one of the currently circulating spams looks like:
Should anyone make the mistake of clicking the link I circled, they are then directed to a site that downloads a small file onto their system that attempts to install itself. This file, detected currently as either “Heuristic.LooksLike.Win32.EPO.F” or “Artemis!7C4314D9690D” is in actuality a Trojan that steals data. More detailed detection information can be found here.
McAfee Labs has also seen links and scams that lead to FakeAV, RBot, and ZBot binaries, so be careful!
I also ran across more than a few bogus shortened links that lead to FakeAV websites:
One thing I did find humorous was the message bar showing the scan progress, which I have circled on the following picture:
None of those “scanned directories” actually exist on my machine. Come on – C:WINDOWS\system32?????? I am on a MacBook Pro. Try harder n00bs.
Lastly I ran across a Word document entitled “Laden’s Death” that looks to contain an exploit of CVE-2010-3333. It crashed immediately when opened but managed to make 430 changes to the PC I was analyzing it on. Lots of changes to startup items, location settings and such:
I’ll continue to update this post as more stuff comes in. Stay updated. Stay informed. Stay safe.