Incidents

Osama Bin Laden Spam/Ads on Facebook

I guess the news about the death of Osama Bin Laden is starting to reach everyone around the world. We have noticed that every time something big as this happens, people get curious and start searching on the Internet. This is something that my colleague Fabio also noticed. During his research he found that cybercriminals are spreading Rogueware via Blackhat SEO and Google Images. You can read more about his finding here.

This triggered me to do a quick search on Facebook and see what was happening over there. I directly saw that Facebook ads are already spreading using videos of the death of Osama Bin Laden as a trigger. On one Page we can see multiple users posting the same URL, with the following message:“Sweet! FREE Subway To Celebrate Osamas Death – 56 Left HURRY!” or “2 Southwest Plane Tickets for Free – 56 Left Hurry” and then a link to a short URL service (http://tiny.cc/).

When you click the link, you will be redirected to a page, where it says that you need to post a message to get more instruction on how you can win.

If the user writes the message, it will post a new message on the user’s wall, to spread the message further, and then just redirect you to another page where you can win something else. The scheme of this scam is to keep redirecting you to pages where you have to enter information such as email, and eventually get money for all new users or clicks.

Please make sure that your computer is up to date with all the security patches, that your antivirus is updated and if you do click on the links from Facebook and other social media pages, make sure that you don’t give out any important information (username, passwords).

Since the bad guys seem to be taking advantage of this opportunity quite heavily, we expect to see more malicious code getting triggered by the death of Osama Bin Laden.

Osama Bin Laden Spam/Ads on Facebook

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox