Cyber-criminals are using interest in MMS or SMS on the iPhone to trick users into downloading rogue antivirus software. According to security company Websense, attackers are abusing Google's search engine to get users to click on links leading to a malicious page pushing scareware.
Cyber-criminals are taking advantage of interest in Apple's new Multimedia Messaging
Service capability for the iPhone by poisoning some of the top related Google
results.
According
to Websense Security Labs, scammers are abusing Google to lure victims to sites
pushing
rogue
antivirus software. MMS is an extension
of SMS (Short Message Service). When someone enters search terms related to
iPhone SMS information-such as "how to send multiple chats over SMS"-malicious
URLs are returned in the search results. In a case documented on
the Websense
blog, a malicious URL reached as high as the sixth search result.
Apple
added MMS for the iPhone on Sept. 25. Given the popularity of the iPhone,
it should come as no surprise that attackers sought to parlay interest in the
technology into an opportunity to cash in. The malicious domains involved in
the attack were registered days before
Apple announced the MMS capability,
indicating careful planning on the part of the attackers,
Websense Manager of
Security Research Stephan Chenette told eWEEK.
"Attackers
that are responsible for
black-hat SEO [search engine optimization] ... either own or have leased use of
botnet ... [that] are then used to run Websites which embed within the Website
content relevant news terms which they wish to poison and associate with a
URL," Chenette said. "The URL they associate is under the control of
the attacker and is the URL ... the attacker wants to lure users to. Search engine
crawlers then crawl the Web and find hundreds of thousands of Websites that
have been poisoned.
"Their
crawler, which is an automated program, isn't able tell poisoned Web pages from
legitimate pages and associates the key terms found with the URLs that the
attackers have set up beforehand to serve rogue antivirus [software]," he
added. "It's a numbers game: Since attackers can control hundreds of
thousands of sites, they can control search engine rankings."
In
this particular SEO attack, the following hosts are involved, according to
Websense: jeffersongc.com, ecrq8w9.xorg.pl, toolmusic.cn and
mycomputerlivescan2.com.
"Using
Robtex and various other tools, we can gather public information about these
hosts," Chenette explained on the Websense Security Labs blog. "One
interesting fact we found is that the domain hosting landing page serving the rogue
AV was created on Sept. 23,
2009 ... and the other domain involved was registered minutes before.
We can also see that two of the domains involved share the same IP
address."
If
a user clicks on one of the malicious links controlled by the attackers, he or
she is redirected to a series of pages via 302 redirects. The final landing
page pushes scareware, issuing a fake warning that the visitor's system is
infected with malware and offering fake antivirus software. The supposed answer
to the user's woes, of course, costs money.
According
to researchers, rogue-antivirus scams have been on the upswing of late. In the
Microsoft
Security Intelligence Report released April 8, Microsoft reported that
seven of the top 25 families of malware or unwanted software in the second half
of 2008 had some connection to rogue security software.
Email
Print
