‘Osama Bin Laden’ Trojan Horse Spying on Online Banking Sessions

Jay Decenella, IT audit expert
May 05, 2011 /

Online or offline, the specter of Osama bin Laden hounds internet users no end as cyber criminals and scammers are resorting to different tactics to lure willing victims to bite on their trap, including a new Trojan horse that purports to contain death images of the notorious al-Qaeda leader.

Some other instances of spreading the bin Laden malware across the cyber space include the use of phony claims in emails with malicious texts presumably leading to the “shocking video” and the classic Nigerian Letter or “419” Fraud that asks for an advance fee in exchange for a percentage of millions of dollars that the sender purports to spirit away from Nigeria.

Shortly after the news on the historic killing of Osama bin Laden in Abbottabad City, Pakistan by the US Navy SEALs broke out earlier this week , scammers were quick to spread a malicious link across Facebook and elsewhere in the cyber space.

The link is professed to point to the death video of bin Laden purported to be banned from TV networks all over the world. However, the link takes users to a page that asks for conditions before they can see the “shocking” video. Facebook users won’t actually be able to see any video but a scam survey that asks for completion before moving them further.

Now, cyber criminals have taken a step higher. Security experts and the Federal Bureau of Investigation have spotted bogus emails that contain a Trojan horse which, when clicked on by the recipient, plants a malicious software on the PC designed to spy on the user’s online banking activities.

The Trojan horse contains an attachment with the file name “Fotos_Osama_Bin_Laden.zip” that contains bogus images and videos of how bin Laden was killed and buried in the sea. The Obama administration has earlier announced that the genuine photos of bin Laden’s corpse would be released soon.

The Trojan horse asks users to first execute the application, just like any other software, before they can see the disturbing images. However, running the compressed file means granting access to cyber criminals to monitor your banking sessions, and worse, redirecting your online payments to their accounts.

Mikko Hypponen, chief research officer of Helsinki-based security firm F-Secure, explained that the Trojan horse belongs to the three-year-old “Banload” line (Downloader.Banload.ONK), a worm found on March 2008 that attempts to spread itself by sending users of Google-owned social networking site Orkut, malicious links that point to the worm itself.

In the offline world, scammers are using the decades-old Nigerian Letter or 419 scam. This was the same attack that Brian Krebs, a security researcher, claimed to be coming from a financial institution based in a foreign land that uses “bots that crawl millions of Web sites and ‘scrape’ addresses from pages.”

The scam encourages the recipients to send information to the author, such as blank letterhead stationery, bank name and account numbers, and other identifying information using a fax number provided in the letter.


Share your opinion

SEO Powered By SEOPressor