Cyber criminals will jump at any chance and use any news to spread malware, and news doesn't get much bigger right now than the death of Osama bin Laden.

It was obvious that we would see SEO poisoning leading to malware, image search poisoning, spam campaigns, and so on. At the same time, cyber criminals also like to get lucky, which happened here.

Twitter is a great source of information, and in the aftermath of the news of bin Laden's death, people started noticing that a Twitter account called @ReallyVirtual based in Abbottabad, Pakistan had tweeted about hearing helicopters and explosions in the area six hours before the news became public. Essentially he live tweeted during the attack.

Mr. Athar links to his blog on Twitter, and I'm sure a lot of users who saw his tweets went there. Unfortunately for them, the site was compromised and was serving a poorly detected malware through the Blackhole Exploit Kit.

Below is a screenshot of the exploit code on the page:


Anyone going to this page would also load content from the malicious URL above, and the Blackhole Exploit Kit would then try to use several exploits to automatically install malware on the PC.

“Cybercriminals are constantly exploiting where the masses go, and news on Osama bin Laden’s death is no exception. We wanted to warn everyone looking for news on Osama bin Laden’s death to be cautious when clicking on new links. Make no mistake—hackers are going to go after websites, like @ReallyVirtual’s, along with search engine results to prey on visitors looking for more information. Compromises on breaking news items are also very dangerous to organizations because employees who are searching online can potentially put an organization at risk for exploit and data loss.” – Patrik Runald, Senior Manager, Security Research, Websense Security Labs


Author: Websense.