Twitter simps fall for 'Obama punched a guy' vid promise scam

Brits, Swedes keenest to see Prez swing a fist


A spam campaign doing the rounds on Twitter that implausibly offers to show a picture, and then a video, of US President Obama punching someone in the face is ultimately designed to spread the infamous Koobface worm.

Prospective victims typically receive a direct message on Twitter, which contains the text “Check out Obama punch a guy in the face for calling him a n%£$*r”, and a malicious link to a fake Facebook page. This fake page confronts users with a request to submit their Twitter login credentials, as a blog post by Panda Security warns.

Users foolhardy enough to follow this request end up with compromised Twitter accounts, while their followers on the micro-blogging site receive further malware lures as direct messages, perpetuating the scam.

Instead of gaining access to the non-existent Obama right hook, victims are transported to a website that displays a fake YouTube video set against a fake Facebook background. Those stupid enough to go through with instruction to update their "YouTube player" to watch the video end up installing a variant of the Koobface worm.

The malware steals personal data from compromised machines.

Koobface is a strain of malware that has bedevilled social networking users (particularly on Facebook) since late 2008. The worms has earned scammers income principally through pay-per-install malware in the past, so the latest variant is a bit of a departure that essentially cuts out the middleman in personal data and ID theft scams.

It's unclear how many victims have been hit by the two-part Obama sucker punch scam, which represents another example of how cybercrooks are increasingly attempting to use social networks as a means to spread malware.

"This attack exploits the two most popular social networking sites, Facebook and Twitter, to trick users into believing they are viewing a trusted site," said Luis Corrons, technical director of PandaLabs. "It also relies on its victims’ curiosity by using a scandalous story involving US President Barack Obama and racism. Cyber-criminals know people are curious by nature and take advantage of this to trick users."

The countries most affected by this outbreak, which has claimed an estimated 2,000 victims, are the UK and Sweden, according to Panda.

Corrons added that users who follow a few common sense rules are far less likely to fall victim of these types of malware scams.

"As a general rule, always keep your antivirus software up to date and be wary of messages offering sensational videos or unusual stories as, in 99 percent of cases they are designed to compromise user security," he warned. ®

Broader topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree
    Researcher spots it targeting Asian government and telco targets, probably with Beijing's approval

    Threat researcher Joey Chen of Sentinel Labs says he's spotted a decade worth of cyber attacks he's happy to attribute to a single Chinese gang.

    Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

    The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project.

    Continue reading

Biting the hand that feeds IT © 1998–2022