Poisoned iCloud Search Results Lead to Fake Antivirus Pages

 
 
By Fahmida Y. Rashid  |  Posted 2011-06-20
 
 
 

Businesses and analysts aren't the only ones interested in Apple's upcoming iCloud service. Scammers are moving in on the action to deliver fake antivirus software.

Cyber-criminals have already used black-hat search engine optimization techniques to poison search results for the "iCloud" keyword, Paul Pajares, a fraud analyst with Trend Micro wrote June 20 on the Malware Blog from TrendLabs.

Several of the malicious URLs appeared to have been tied to MyMobi, a news site that covers new gadgets, Pajares said. There have also been several pages with file names containing "apple" and "icloud" on compromised sites, suggesting a coordinated mass attack using those keywords.

Even though the pages have since been cleaned up, there's no guarantee that the cyber-criminals won't re-compromise MyMobi again or find other sites to exploit. Along with the keyword "cloud," scammers have also used "what is apple icloud" and "what is icloud apple," according to Pajares.

"Because we realize the possibility that users might search for information about iCloud, we are currently monitoring possibly new FAKEAV URLs with the TLD co.cc using the keyword -icloud,'" Pajares said.

The malicious URLs generally follow the following format, http://<<domain name>>/<path>/<file>.php?<key>=<search keyword>, according to Norman Ingal, a threat-response engineer at Trend Micro. These URLs are not accessible if they are typed directly into the browser's address bar since they were specifically created to pop up in search-result pages, Pajares said. Just typing in the full URL won't take the user to the correct page as the page gets activated only when referred by a search engine, Pajares said.

Users who find and click on the malicious link will go to what's called a "doorway" page on a legitimate domain that has been compromised, such as MyMobi. From the doorway page, they will be automatically redirected to the attack portal with a .co.cc domain. A script on the site automatically tries to download a file named "SecurityScanner.exe" onto their computers, which installs a fake AV "XP Antispyware 2012," according to Pajares.

After it is installed, it "scans" the computer and displays a warning listing multiple security issues with the computer. Users are requested to register the product to get the full version, which will then fix the discovered problems.

When users click on the registration button inside the software, they are redirected to a phishing site that provides an option to purchase XP Antispyware 2012. If the user doesn't register the software but keeps it installed on the computer, the rogue program blocks major Web browsers, such as Google Chrome and Internet Explorer, from being able to access any Website, according to Pajares.

Instead of a default error page, the fake antivirus displays a page titled, "Visiting this site may pose a security threat to your system!" The page claims the site may have malicious code, spyware, "unsafe network activity" or user complaints. The user is urgently advised to purchase a "copy of AntiSpyware 2012" to safeguard the PC. Continuing to the site is considered "Dangerous," when in reality, there's nothing wrong with the site.

Criminals often take advantage of fast-trending topics to poison search results, Pajares said. Steve Jobs' announcement earlier this month and the resulting lawsuit over the iCloud name has generated a lot of interest and Web searches related to the new cloud platform.

 


Rocket Fuel