Apple's iPhone has been available in South Africa for less than a week and already users are being targeted in a "pharming" attack.
The malicious payload of Trojan masquerading as a video of the iPhone can result in users being redirected to fraudulent web pages when they try to access their online bank. The aim is to steal confidential user information
Panda Security has revealed that the launch of Apple's iPhone in countries such as South Africa is being exploited by cyber-crooks as bait for attracting users and infecting them with malware.
The latest case involves a new pharming attack using the Banker.LKC Trojan. Victims of this attack could find their bank details end up in the hands of cyber-crooks.
"Pharming is a sophisticated version of phishing," explains Jeremy Matthews, head of Panda Security's sub-Saharan operations. "It involves manipulating the DNS (Domain Name Server) through the configuration of the TCP/IP protocol or the host file. The DNS servers store the numeric address or IP address associated to each domain name or URL.
"The result of the cyber-criminals' interference is that when a user enters the name of a web page, the server redirects him to another number, like another IP address hosting a fraudulent Web page, designed to have the appearance of the original page."
In this case, the Banker.LKCTrojan is responsible for the manipulation of the DNS. This malicious code reaches systems under the name "VideoPhone_exe". In order to trick users, once it is run it opens a browser window displaying a website selling the iPhone.
While users are viewing this page, the Trojan modifies the hosts file, redirecting URLs of banks and other companies to a false web page. This way, users trying to access these banks by typing in the address or accessing them from an Internet search will be redirected to the spoof page. Here they will be asked for confidential details (account number, transaction password, etc.) – confidential information which ends up into the hands of cyber-crooks.
The manipulation of the hosts file does not cause any other suspicious effect on the computer. In fact, the entire fraud is carried out without arousing the suspicion of users, as all they need to do to become a victim is to enter the address of the bank. This makes the attack even more dangerous.
"The iPhone is used in this case as bait to attract users into running the file containing malicious code," says Matthews. "Cyber-crooks are aiming to use the information they gather to empty users' accounts."