"People like us, who believe in physics, know that the distinction between past, present, and future is only a stubbornly persistent illusion"

Albert Einstein (1879-1955), German born American Physicist
(October 11, 1889, James Prescott Joule died, English physicist)

Targeted Scams

In the last couple of months the trend seems to have shifted towards cybercriminals employing a great number of resources to commit financial fraud through targeted scams. The latest attempt surfaced around the recent launch of the Apple iPhone. Cybercriminals established a phony Apple Shop which sold iPhones to the public. However, this was not your common run-of-the-mill phishing attack. This one used a Trojan to guide the user into purchasing an iPhone through the fake shop where the hackers could capture personal details.

The Trojan works by registering a browser helper object (BHO) within Internet Explorer (RWERA21S1.dll) and monitoring all Internet activity. When the user infected with the Trojan visits www.iphone.com, the Trojan injects code that automatically redirects the user to a fake identical page.

Not only is the Trojan registered as a BHO within Internet Explorer - watching every move the user makes - but it also joins the infected computer to a botnet as a slave. Thus the infected computer can receive remote commands such as downloading additional malicious executables. The Trojan also includes adware popups to entice users to visit the spoofed iPhone shops.

The user receives no hint that his details have been captured and sent to cybercriminals while he waits for his iPhone - which, of course, is never shipped.

Most cybercriminals understand the "business" needs of the hackers who are their customers. For example, sophisticated command and control centers which display stats are usually included in the purchase price of the custom, made-to-order Trojans they sell. Hackers can compromise a legally registered website or domain to host the control panel for their botnet.

To infect users on a massive scale to join a botnet, a common method used by cybercriminals is tainting the HTML code (Iframe reference) within legally registered domains in order to establish a staging point for infections. For example, malware generated with the MPACK hacker toolkit infected users through domains that otherwise would not be suspected as malware transmission points. High volume traffic sites are particularly of interest to cybercriminals, obviously due to the higher potential of infections. It is suspected that MPACK has been used to transmit many forms of malware, including the Limbo 1.5 banking Trojan

In short, this is another step forward for the Internet mafia who are developing increasingly complex fraud techniques, using a myriad tools and tricks to ensure their success.

Luis Corrons
Technical Director of PandaLabs

For up-to-date computer security news go to the Panda Security Twitter.