Apple iPhone SMS Used as Bait in Rogue Antivirus Scam

 
 
By Brian Prince  |  Posted 2009-09-28
 
 
 

Cyber-criminals are taking advantage of interest in Apple's new Multimedia Messaging Service capability for the iPhone by poisoning some of the top related Google results.

According to Websense Security Labs, scammers are abusing Google to lure victims to sites pushing rogue antivirus software. MMS is an extension of SMS (Short Message Service). When someone enters search terms related to iPhone SMS information-such as "how to send multiple chats over SMS"-malicious URLs are returned in the search results. In a case documented on the Websense blog, a malicious URL reached as high as the sixth search result.

Apple added MMS for the iPhone on Sept. 25. Given the popularity of the iPhone, it should come as no surprise that attackers sought to parlay interest in the technology into an opportunity to cash in. The malicious domains involved in the attack were registered days before Apple announced the MMS capability, indicating careful planning on the part of the attackers, Websense Manager of Security Research Stephan Chenette told eWEEK.

"Attackers that are responsible for black-hat SEO [search engine optimization] ... either own or have leased use of botnet ... [that] are then used to run Websites which embed within the Website content relevant news terms which they wish to poison and associate with a URL," Chenette said. "The URL they associate is under the control of the attacker and is the URL ... the attacker wants to lure users to. Search engine crawlers then crawl the Web and find hundreds of thousands of Websites that have been poisoned.

"Their crawler, which is an automated program, isn't able tell poisoned Web pages from legitimate pages and associates the key terms found with the URLs that the attackers have set up beforehand to serve rogue antivirus [software]," he added. "It's a numbers game: Since attackers can control hundreds of thousands of sites, they can control search engine rankings."

In this particular SEO attack, the following hosts are involved, according to Websense: jeffersongc.com, ecrq8w9.xorg.pl, toolmusic.cn and mycomputerlivescan2.com.

"Using Robtex and various other tools, we can gather public information about these hosts," Chenette explained on the Websense Security Labs blog. "One interesting fact we found is that the domain hosting landing page serving the rogue AV was created on Sept. 23, 2009 ... and the other domain involved was registered minutes before. We can also see that two of the domains involved share the same IP address."

If a user clicks on one of the malicious links controlled by the attackers, he or she is redirected to a series of pages via 302 redirects. The final landing page pushes scareware, issuing a fake warning that the visitor's system is infected with malware and offering fake antivirus software. The supposed answer to the user's woes, of course, costs money.

According to researchers, rogue-antivirus scams have been on the upswing of late. In the Microsoft Security Intelligence Report released April 8, Microsoft reported that seven of the top 25 families of malware or unwanted software in the second half of 2008 had some connection to rogue security software.

Rocket Fuel