Scammers are poisoning search-result terms for the iCloud keyword to direct users to a fake Windows antivirus.
Businesses and analysts
aren't the only ones interested in Apple's upcoming iCloud service. Scammers
are moving in on the action to deliver fake antivirus software.
Cyber-criminals have already
used black-hat search engine optimization techniques to poison search results
for the "iCloud" keyword, Paul
Pajares, a fraud analyst with Trend Micro wrote June 20 on the Malware Blog
from TrendLabs.
Several of the malicious
URLs appeared to have been tied to MyMobi, a news site that covers new gadgets,
Pajares said. There have also been several pages with file names containing
"apple" and "icloud" on compromised sites, suggesting a coordinated mass attack
using those keywords.
Even though the pages have
since been cleaned up, there's no guarantee that the cyber-criminals won't re-compromise
MyMobi again or find other sites to exploit. Along with the keyword "cloud,"
scammers have also used "what is apple icloud" and "what is icloud apple,"
according to Pajares.
"Because we realize the
possibility that users might search for information about iCloud, we are
currently monitoring possibly new FAKEAV URLs with the TLD co.cc using the
keyword -icloud,'" Pajares said.
The malicious URLs generally
follow the following format, http://<<domain
name>>/<path>/<file>.php?<key>=<search keyword>, according
to Norman Ingal, a threat-response engineer at Trend Micro. These URLs are not
accessible if they are typed directly into the browser's address bar since they
were specifically created to pop up in search-result pages, Pajares said. Just
typing in the full URL won't take the user to the correct page as the page gets
activated only when referred by a search engine, Pajares said.
Users who find and click on
the malicious link will go to what's called a "doorway" page on a legitimate
domain that has been compromised, such as MyMobi. From the doorway page, they
will be automatically redirected to the attack portal with a .co.cc domain. A
script on the site automatically tries to download a file named
"SecurityScanner.exe" onto their computers, which installs a fake AV "XP
Antispyware 2012," according to Pajares.
After it is installed, it
"scans" the computer and displays a warning listing multiple security issues
with the computer. Users are requested to register the product to get the full
version, which will then fix the discovered problems.
When users click on the
registration button inside the software, they are redirected to a phishing site
that provides an option to purchase XP Antispyware 2012. If the user doesn't
register the software but keeps it installed on the computer, the rogue program
blocks major Web browsers, such as Google Chrome and Internet Explorer, from
being able to access any Website, according to Pajares.
Instead of a default error
page, the fake antivirus displays a page titled, "Visiting this site may pose a
security threat to your system!" The page claims the site may have malicious
code, spyware, "unsafe network activity" or user complaints. The user is
urgently advised to purchase a "copy of AntiSpyware 2012" to safeguard the PC.
Continuing to the site is considered "Dangerous," when in reality, there's
nothing wrong with the site.
Criminals often take
advantage of fast-trending topics to poison search results, Pajares said. Steve
Jobs' announcement earlier this month and the resulting
lawsuit over the iCloud name has generated a lot of interest and Web
searches related to the new cloud platform.
Email
Print
