The Kelihos botnet, which has survived three shutdown attempts, has begun sending out phishing messages that aim to exploit consumer concerns over the recent leak of information from Apple’s iCloud service, according to security firm Symantec.
The phishing campaign consists of email messages purporting to be from Apple and asking the targeted victim to authorize a fake iTunes Store transaction, Symantec stated in an analysis published on Sept. 5. The email claims that the transaction was initiated from an Internet address located in Volgograd, Russia.
“It is possible that the timing of the campaign is not a coincidence and the controllers of the botnet are attempting to exploit public fears about the security of Apple IDs to lure people into surrendering their credentials,” Symantec said. “However, this is by no means the first time that attackers have targeted Apple IDs in this fashion.”
Indeed, the Kelihos phishing operation follows another attempt to gather credentials by Dyre, a banking Trojan. The group behind that program has begun targeting user names and passwords of Salesforce.com users, according to an advisory posted by the company on Sept. 3. Salesforce is a cloud sales management service holding significant amounts of information on businesses’ customers.
It’s currently not known why bot masters are targeting users’ credentials. While criminals could steal and sell corporate data—or celebrities’ private images and documents—most users’ data is only valuable to the owner.
Other options do exist. Taking a page from ransomware operations, where a victim’s data is encrypted and the encryption key is held for ransom, attackers could steal a user’s data stored in the cloud and charge for its return. Finally, access to users’ accounts could make criminals’ other endeavors more successful and make social engineering more effective.
It could be all of the above, Orla Cox, a director with Symantec’s security response group, told eWEEK. Bot masters no longer have a single goal in their efforts to compromise victims’ systems, she said.
“These botnets have become multipurpose,” she said. “The operators are diversifying the number of ways that they can monetize the compromise of a computer—collecting user names and passwords is just one way that they can do that.”
The attack comes just days after hackers leaked a slew of intimate celebrity photos to the Internet, allegedly taken from Apple’s servers. While Apple denied that a technical vulnerability in the iCloud data storage service enabled the attackers to gain access to the accounts of movie stars and other celebrities, the company pledged to increase its security.
The Kelihos botnet is notable for its use in spamming, and the group behind the botnet has resurrected the network of compromised machines following takedowns in 2011, 2012 and 2013.
Different coalitions of security companies and law enforcement have attempted to scuttle the botnet on at least three separate occasions. Each time, the action disrupted the botnet, and each time the group behind the botnet restored their operations.