Cybercrooks waited just hours to unleash a spam run promising a free phone that instead lured users to a malware-laden website, researchers said.
The emails, which first appeared Saturday morning - just hours after the release - falsely told recipients that they had won a free iPhone from an unnamed retailer, Paul Henry, vice president of technology evangelism at Secure Computing, told SCMagazine.com.
By clicking on a link to sign up for the free phone, users are silently brought to a malware-hosting website that scans their machines for more than 10 previously patched ActiveX vulnerabilities, Henry said. As of this morning, the site was operational.
If an unpatched vulnerability is discovered, victims are redirected to a web server hosted in New Jersey that downloads a rootkit onto their PCs, he said. The goal is to add the compromised machine to a botnet for spamming, but the rootkit lends some versatility.
"Remember, the person controlling this box does have access to the entire machine," Henry said, adding that the attacker can install other malware such as keyloggers used in identity theft.
The attack also is notable because it includes a feature that recognises IP addresses visiting the rogue site.
"They appear to be monitoring access to the website," Henry said. "If you come back a second time, you’re redirected to a benign website. The theory here is they’re trying to thwart the work of security researchers."
Meanwhile, researchers at Sunbelt Software warned Saturday of a similar-type attack, this one using a trojan that, when clicked on, opens a fake iPhone.com sale page, Sunbelt President Alex Eckelberry wrote on his blog.
The scam, which uses a browser helper object (BHO) plug-in for Internet Explorer, attempts to steal financial information from unsuspecting buyers, said Eckelberry, who submitted a fake order to analyse the attack.
"Our order status is pending and now we have to send payment via Western Union or MoneyGram to a fellow in Latvia," he sarcastically wrote.
A majority of anti-virus solutions are having a difficult time catching both attacks, Henry and Eckelberry said.
Henry said threats that take advantage of current events are growing.
"A key element in all of this is that the emails were being sent out within 12 hours of the release of the iPhone," he said. "They were absolutely taking advantage of the hype associated with the release."
Enterprises, aside from ensuring their machines are patched and running up-to-date anti-virus signatures, must do more to protect against web-borne malware, Henry said.
"They need to address HTML code that is being returned from public internet web servers when internal users are surfing the web," he said.
Spammers exploit iPhone hype
By Dan Kaplan on Jul 3, 2007 9:25AM