Osama bin Laden's Death Triggers Facebook, SEO Poisoning Attacks

SEO poisoning attacks and Facebook adware exploiting the news of Osama bin Laden's death are already traveling rapidly across the Internet, detected by researchers at antivirus firm Kaspersky Lab.

The massive phishing campaigns first emerged on Sunday within hours after President Obama announced that Osama bin Laden was dead as a result of an extensive intelligence operation involving the CIA , U.S. Navy Seals and other U.S. agencies.

Spam and phishing campaigns typically spike sharply upwards following a major news event, as cyber criminals look for ways to capitalize on the excessive Internet traffic generated by piqued international interest. This one is no exception, security experts say.

"This is pretty typical of this kind of malware," said Tim Armstrong, malware researcher at Kaspersky Lab. "We see this after any major event happens -- these guys are pretty much waiting. They have such a system set up that they can jump on any topic."

Within about four hours after news broke of bin Laden's death, malware authors began launching SEO campaigns targeting Google to spread rogue antivirus software, while circulating Facebook adware on the social networking site.

"As always, when big news appear in the press, the bad guys start Blackhat SEO campaigns in popular search engines trying to lure users to install Rogueware," said Fabio Assolini, Kaspersky Lab security researcher, in a blog post Monday.

In SEO poisoning attacks, cyber criminals manipulate the search engine's algorithm in order to place a malicious Web site at the top of the search rankings, which, as the some of the first sites the user sees, will often benefit from high volumes of traffic. The malicious or bogus Web sites usually entice users to click by purporting to offer breaking news or information on a global event.

The bin Laden SEO poisoning attacks result from an image search that lures users with headlines such as "Osama bin Dead Awhile" and "Is Osama bin Laden Dead?" coupled with pictures of the international terrorist.

However, when users click on the links, they are taken to one of two domains that offers fake anti-virus software called "Best Antivirus 2011." In reality, the rogue antivirus, which is powered by a Trojan Kaspersky Lab identified as Trojan.Win32.FakeAV.cvoo, tricks users into entering credit card information and paying a fee by claiming that it will allegedly clean their computers.

Armstrong said that what makes this particular rogue antivirus scam unique is that it also comes equipped with a Mac variant that drops an installer, designed to exploit the trusted file system in the Safari browser to launch automatically.

"That's pretty unique," Armstrong said. "These scams apply to Mac users. It looks like cyber criminals are updating their game to include more Mac users."

Meanwhile, Kaspersky Lab experts also detected a slew of bogus Facebook ads that are spreading virally using bin Laden's death as a trigger.

One ad claims "Sweet! FREE Subway To Celebrate Osama's Death—56 Left HURRY!" as well as "2 Southwest Plane Tickets for Free – 56 Left Hurry" along with a shortened URL.

Next: Fake Facebook Ads Ask For User Information

However, when users click the link they are then redirected to a page that asks them to post a message in order to receive more information on how to win. Once the user writes the requested message, the adware will post a new message on their Facebook wall that further spreads the message, and then redirects them to another page where they allegedly can win something else.

The idea behind the scam is to keep redirecting users to pages where that require them to enter personally identifying information such as e-mail addresses, which ultimately translates to money for the cyber criminals, either for each new user or per click.

Armstrong said that more sophisticated and widespread attacks exploiting Osama bin Laden's death will likely follow with time as user interest deepens.

"The mechanisms are in the wild," he said. "It seems they just need to wait for an event and drop a key word. Until that stops working, its low hanging fruit."

Kaspersky Lab experts recommend that users pay close attention to the URL of a site offering information on bin Laden, and avoid clicking on unfamiliar links, even if they reside at top of the search engines and go directly to a trusted news site. They also advised that users be wary of ads on Facebook or any other site with offers that look too good to be true, and avoid entering any personal information on these sites.

Finally, users should equip their computers with comprehensive antivirus or antimalware software and regularly install security updates and patches for browsers, plug-ins and applications as soon as they're released.