Posted by: Samker
« on: 01. October 2008., 10:33:26 »The launch of Apple’s iPhone in numerous countries is being exploited by cyber-crooks as bait for attracting users and infecting them with malware.
The latest case reported by PandaLabs, Panda Security’s malware detection and analysis laboratory, involves a new pharming attack using the Banker.LKC Trojan. Victims of this attack could find that their bank details end up in the hands of cyber-crooks.
Pharming is a sophisticated version of phishing. It involves manipulating the DNS (Domain Name Server) through the configuration of the TCP/IP protocol or the host file. The DNS servers store the numeric address or IP address (e.g. 62.14.63.187.) associated to each domain name or URL (e.g. www. mibanco.com). The result of the cyber-criminals’ interference is that when a user enters the name of a Web page, the server redirects him to another number, i.e. another IP address hosting a fraudulent Web page, designed to have the appearance of the original page.
In this case, the Banker.LKCTrojan is responsible for the manipulation of the DNS. This malicious code reaches systems under the name “VideoPhone[1]_exe”. Once it is run, and in order to trick users, it opens a browser window displaying a website selling the iPhone (see image at: http://www.flickr.com/photos/panda_security/2884457259/).
While users are viewing this page, the Trojan modifies the hosts file redirecting URLs of banks and other companies to a false web page. This way, users trying to access these banks by typing in the address or accessing them from an Internet search will be redirected to the spoof page. Here they will be asked for confidential details (account number, transaction password, etc.) which will be falling straight into the hands of cyber-crooks.
The manipulation of the hosts file does not cause any other suspicious effect on the computer. In fact, the entire fraud is carried out without arousing the suspicion of users, as all they need to do to become a victim is enter the address of the bank. This makes the attack even more dangerous.
“Cyber-crooks are obviously aiming to use the information they gather to empty users’ accounts”, explains Luis Corrons, Technical Director of PandaLabs. “The iPhone is used in this case as bait to attract users into running the file containing malicious code”.
How to protect yourself against pharming
- When you connect to a page on which confidential details are requested make sure that the URL is the same as the one you typed and that there are no additional letters or numbers, etc.
- Check the security certificate of the sites you visit. Any reliable e-commerce business will have security certification for its servers issued by a recognized security authority. There are several certification authorities; although Verisign is the most widely recognized.
- Make sure you have effective, up-to-date antivirus protection, because, as is the case here, the DNS modification is often carried out with malicious code.
News Source: Panda Security