Simply Security - News, Views, and Opinions from Trend Micro

Searches for iCloud Unveil FAKEAV

Posted on June 21st, 2011 in Current News, Trend Labs by TrendLabs | Be the first to comment |

Everyone’s talking about the upcoming iCloud, Apple’s newest cloud services offering. From Steve Jobs’ announcement earlier this month at the annual Worldwide Developers Conference (WWDC), to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several attempts to take advantage of the “iCloud” keyword by cybercriminals behind fake antivirus malware.

Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger malicious URLs hosting FAKEAV malware. These blackhat SEO techniques use Google as its referrer to run the malicious file download. In this case, the file downloaded is one named SecurityScanner.exe, or what Trend Micro detects TROJ_FAKEAV.HKZ.

Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site about gadget information. We’ve previously blocked the site because of the malicious activity, but since it appears that the site has since then cleaned up, it is now unblocked. In the image pictured above, the domain mymobi.com is infected with files containing the file name “.php3″ and the “icloud” keyword. In this instance, hackers insert topics containing keywords to gain high page ranking in Google search results for phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.

These URLs are not accessible via the URL address bar; rather, they show up in Google searches. We can tell this because the URL needs to have been referred by Google for it to become accessible. From there, they redirect to a FAKEAV URL bearing a top-level domain (TLD) co.cc. The script for downloading the file is similar to the ones usually used in typical FAKEAV malware.

Running the downloaded file, SecurityScanner.exe or TROJ_FAKEAV.HKZ installs the fake antivirus program XP Antispyware 2012. The program contains a registration button. When users click this, the page redirects to a phishing site with a newly created domain that contains the “Choose Plan & Checkout” option to purchase XP Antispyware 2012. The FAKEAV malware also blocks Web browsers, Internet Explorer and Google Chrome from surfing the Internet unless users purchase the product.

Because we realize the possibility that users might search for information about iCloud, we are currently monitoring possibly new FAKEAV URLs with the TLD co.cc using the keyword “icloud”. We have seen some stray results that might come up with search terms like “what is apple icloud” or “what is icloud apple”, but the results are too far from the top to affect a lot of users. We have also seen several pages with file names containing “apple” and “icloud” in what appears to be compromised sites, suggesting a possible coordinated mass compromise leveraging these keywords.

Users may refer to the following blog entries as reference for this blackhat SEO-FAKEAV threat:

Update on June 20, 2011, 7:41 PM PST: As stated above, we’re continuously monitoring this and have observed that the compromised URLs are still alive. We are blocking the specific URLs to prevent Trend Micro customers with Web Threat Protection enabled from being led down this road.

Post from: TrendLabs | Malware Blog – by Trend Micro

Searches for iCloud Unveil FAKEAV