Osama lives again on Facebook

Criminals are wasting no time in harnessing the undeniable impact of the news of Osama Bin Laden’s death to bait familiar old traps on facebook.
I just got a call from, let’s call him “a concerned family member”, after he had been taken in by a facebook “chat virus”.
The infection chain started with a chat message from a friend, the message read “watch the video of them killing osama bin laden live! ” and was accompanied by a link. The message began with the victim’s real name giving it added credibility.

The link leads to a page that may look familiar to those of you who keep up with this sort of thing, but as my br… um… concerned family member can attest, it still fools the unwary.

The instructions on the page inform the unfortunate mark that in order to view the supposed execution video, they need to paste the “video code” into the address bar of the browser. This may seem an unusual request in the context of a blog post, but when the recommendation comes to you in a live chat message from a friend you know and trust, your spider senses may not be tingling quite so much.

The code that you are pasting into your address bar is a JavaScript that simply calls a second JavaScript file hosted on a compromised but otherwise innocent website. The second file enumerates all your friends and sends them chat messages, creates an event to which all your friends are invited and continually updates your facebook status. Meaning that the video link is immediately posted to your facebook wall to entice other unwary facebookers and spammed out in personalised chat messages and event invitations to your nearest and dearest (well, your Facebook friends anyway).
The tactics used are exactly the same as in many of the “Profile Spy”, or “See who views your profile” scams that do the rounds so often, in fact the offending JavaScript file in this instance even contains the line “var eventdesc = ‘Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! –” suggesting that this represents nothing more than a rebaited trap.
But hey, there’s an old saying in Tennessee – I know it’s in Texas, it’s probably in Tennessee – that says, fool me once, shame on … shame on you. It fool me. We can’t get fooled again (with thanks to GWB)
What do we learn from this? I guess the simplest lesson is, if you receive an unsolicited link from someone, even someone you know, check with them first before you click. You never know, you could be doing them a favour and letting them know they have been duped. And NEVER paste ANYTHING that is not a URL into your browser address bar.
It is also worth noting that this is not the only Osama scam currently spreading on Facebook, I also spotted many iterations of a second attack that uses clickjacking in the form of a bogus CAPTCHA to fool users into posting the bait to their own walls.


7 thoughts on “Osama lives again on Facebook

  1. Pingback: Facebook-Virus: Cyberkriminelle nutzen Tod von Osama - NETZWELT

  2. Pingback: OsamaIsAlive » Blog Archive » Osama lives again on Facebook » CounterMeasures

  3. M Dunn

    I experienced a simmilar virus to this. Someone posted a link on my wall which said ‘Photo’s of Osama’s Death’ which was disguised as a Facebook group. When going to delete it, I accidentally clicked it, and realised what it was. I immediately closed the browser, blocked all Internet Access on the Firewall, ran a full virus scan and completed a System Restore and was fine.


  4. Pingback: Osama Malware Scams in Facebook and website links | Harry Waldron - Security News

  5. Pingback: Osama malware scams spread to Facebook | Stop Spam Tips

Leave a Reply

Your email address will not be published. Required fields are marked *