FBI Warns About Osama-Themed XSS Attacks

The FBI has issued an alert about Osama bin Laden-themed XSS attacks through its Internet Crime Complaint Center (IC3), however, the warning comes too late to have any significant impact.

As any incident that attracts a lot of attention, Osama bin Laden's death was leveraged by scammers to infect users with malware or direct them to spam.

"Recently, social networking site users have fallen victim to 'self' infecting XSS attacks where they actually perform the attack themselves by following directions to view the latest Osama bin Laden video," the IC3 warns.

"Before users can view the video, they must complete a '5 second security check.' A few keyboard shortcuts allow users to cut and paste malicious code directly into their browser's URL without any indications it is a viral scam," the center explains.

While the alert is welcomed and will hopefully help educate users about future attacks, it does little to prevent the one already mentioned in the advisory because it took place almost three weeks ago.

These so-called self-XSS attacks are not new. They have been around for years on some social networking websites, for example, Orkut. However, they've become increasingly common on Facebook recently, prompting the company to implement an XSS filter in order to block them.

Unfortunately, as Facebook's chief security officer, Mr. Joe Sullivan, recently told us, it's like a cat and mouse game where the spammers come up with new tricks and the site's security team needs to adapt the protection mechanisms accordingly.

Protection or not, users should be aware that pasting anything they don't understand into their browser's address bar comes with a lot of risks and should never be done.

The IC3 advisory also warns about a 419 scam which made the rounds back in April and involved scammers impersonating James H. Freis, the deputy director of the Financial Crimes Enforcement Network.