iPhone Lure Used in Hacker Exploit

The iPhone hype makes it a natural target -- by scammers looking to sell Apple's first cell phone for a huge markup, and also by hackers looking to add to their bot networks.

Within hours of the iPhone's release, a social engineering e-mail went out with the subject line "Congratulations, you have won a new iPhone from our store!" Following the link in the e-mail takes an unsuspecting user to a Web site that attempts to load a rootkit on the user's computer.

The attack is one, according to security vendor Secure Computing Corp., that was used in a widespread attack on about 10,000 Italian Web sites about two weeks ago.

The attack "is a two-phase download," according to Paul Henry, vice president of technology evangelism for Secure Computing. A user "gets the e-mail, and clicks on the link to get the iPhone. That takes them to a Web site in Malaysia." The Malaysian Web site looks for Active X exploits, and if it finds a hole, the browser is directed to a second Web site, this one in New Jersey, that loads the rootkit on the computer.

Once the rootkit is installed, it's virtually impossible for the average user to find. Henry said that further analysis this morning resulted in Secure Computing identifying the toolkit. It's the "mpack" toolkit, version 0.93 or higher.

Henry emphasized that it's not an iPhone vulnerability. "This exploit is not for the iPhone. This is a browser exploit," he said in an interview.

A potentially serious exploit. Henry said, "Any Windows PC user that clicks [the e-mail] can immediately be comprised. The PC will be turned into a spambot," part of an army of computers networked together to blast spam to the world. And since it's a rootkit, it would be easy for a hacker to update the malware to add things such as a keylogger, which could steal a user's passwords and other sensitive material.

The best advice, as always, is to remind users on a network to never click a link that they're sure is safe. Other actions to take as a safeguard include using an anti-malware scanning product which scans HTML code, and URL filtering products.

As of Monday afternoon, Henry said, the exploit hasn't spread like wildfire, but that shouldn't make users feel safe. In fact, both malicious sites in Malaysia and New Jersey were still up and running when he last checked. "It's a relatively small distribution [so far], but we expect that to continue to grow," he predicted.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.