We'll continue to update this blog post with new malware we're seeing related to Osama bin Laden's death, as we expect to see plenty.
Interesting statistic: Zscaler went from seeing fewer than 1,000 URLs containing the terms 'osama', 'usama' or 'laden' on Sunday afternoon, to a peak of over 4 million by 10am PST on Monday morning.
There are a handful of sites cropping up that are advertising that Osama is alive. When visited the page appears as follows:
This particular profile is down, however there do appear to be a number of other related Facebook profile pages recently created:
I have not witnessed anything malicious at the moment in this campaign. But because the spammy nature and number of sites / profiles it makes our list.
(32/42): Trojan Rinecud / Pincav
Let's just call this 'poor man's Likejacking
', with a dash of malvertising. The site manually walks a user through manually 'liking' content and then posting it to their Facebook page, which is allegedly required, before the video can be viewed. Upon clicking on the 'WATCH THE VIDEO NOW' link a fake 'age verification' screen is displayed, requiring the user to click on advertising links.
Osama Bin Laden Death Video Facebook Scams:
Many other Facebook profiles as well:
News story which includes links to video with fake VLC warnings. The page may be infected with malvertising. The malware is not consistently displayed on the page.
(19/41): Hotbar Adware
A variety of attacks are included on the page, including Likejacking
(20/41): Hotbar Adware
302 redirects to:
(24/41): Trojan Banload
Seen spread primarily through spamvertised messages to mail.live.com
(7/41): Password Stealing Trojan