5, 4, 3, 2, 1: Osama Bin Laden Death Scams

I suppose this was inevitable. The reported death of Osama Bin Laden is just too good a lure for cybercriminals and scammers to pass up. We at McAfee Labs certainly anticipated this and have been tracking it since the first reports came out of Washington early this morning.

We have seen variations of what I can only call “expected lures”:

  • See video in which Osama bin Laden is shown holding a newspaper with today’s date and disprove his possible death reported by OBAMA.
  • OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe
  • fotos-do-osama-morto.exe
  • pictures-of-osama-dead.exe

Beware of any verbiage, subject lines in emails, or links via Facebook or Twitter that contain words like these–as they will almost certainly get you into trouble. Make sure your security software is fully updated and be sure to use safe browsing software as well.

Stay safe out there and we will keep you posted!

——- UPDATE ———–

Shortly after I posted this blog some of the other researchers at McAfee Labs forwarded me some additional data (shoutouts to Craig, Eric, and The-Funny-Hatted-One!).

Here is an example of what one of the currently circulating spams looks like:

Should anyone make the mistake of clicking the link I circled, they are then directed to a site that downloads a small file onto their system that attempts to install itself. This file, detected currently as either “Heuristic.LooksLike.Win32.EPO.F” or “Artemis!7C4314D9690D” is in actuality a Trojan that steals data. More detailed detection information can be found here.

McAfee Labs has also seen links and scams that lead to FakeAV, RBot, and ZBot binaries, so be careful!

——– Yet Another Update!! ———–

Caught a few more scams today that I thought I would share with you all out in Intertubz-land! The have been more than a few bogus “Bin Laden Death” video scams circulating today and they lead to the expected places…. FakeAV and spam. Below is a screenshot of a bogus page I cam across that asks the viewer to copy and paste a script into their browser in order to see a video of Osama Bin Laden’s death:

It certainly DOES NOT lead to the promised video because there is no released video! What it does do is spam your wall with messages trying to get people to do the same thing. Do not be fooled. Do not copy and paste, this or indeed any script asking you to do so in order to see ANY video.

I also ran across more than a few bogus shortened links that lead to FakeAV websites:

One thing I did find humorous was the message bar showing the scan progress, which I have circled on the following picture:

None of those “scanned directories” actually exist on my machine. Come on – C:WINDOWS\system32?????? I am on a MacBook. Try harder n00bs.

Lastly we ran across a Word document entitled “Laden’s Death” that looks to contain an exploit of CVE-2010-3333. It crashed immediately when opened but managed to make 430 changes to the PC I was analyzing it on. Lots of changes to startup items, location settings and such:

I uploaded the whole RegShot diff file to PasteBin. Should you like to view it, just go here. I’ll continue to update this post as more stuff comes in. Stay updated. Stay informed. Stay safe.