Thursday, October 07, 2010

Consumer Beware:

If you have an iTunes account, take note -- from the daily Tech Republic "infopackets" newsletter comes this nasty bit of news:

Fake iTunes Bill Delivers Bank-Draining Trojan

Hackers have developed a new and clever scam that targets legitimate Apple iTunes subscribers, then drains their bank account.

Fake Bill Traps Customers into Clicking Malware Link

Victims of the scam receive fake "iTunes receipt" that appear completely authentic, with none of the spelling errors or image source code issues that have become synonymous with spam and malware messages.

The only real problem with the would-be receipt is that the total for the bill was said to be completely outrageous. And that's part of the trap.

Clicking "Report a Problem" Is a Big Mistake

Researchers say that the fake and outrageously high bill is enough to raise the ire of legitimate iTunes subscribers. The reason for this is that most people are likely to take action when seeing an "incorrect amount" appear on their bill.

Since the next step for most people in this situation would be to click the "report a problem" tab, this is where hackers have decided to plant the Trojan.

Fake Adobe PDF Reader Delivers Payload

The attack vector uses Adobe Flash, which is a technology that Apple refuses to use for its alleged security weaknesses. Panda Labs released a statement explaining the infection process:

"After clicking the link, the victim is asked to download a fake PDF reader. Once installation is complete, the user is redirected to an infected web page containing the Zeus Trojan, which is specifically designed to steal personal data." (Source:

Phishing Schemes Increasingly Popular

Phishing has become a major problem for security companies in recent weeks, with users of the popular social network LinkedIn being the targets of a similar attack these past few weeks. (Source:

According to Luis Corrons, technical director of Panda Labs, the variation in the methods of attack is what has been keeping security companies on edge.

"Phishing is nothing new. What never ceases to surprise us is that the techniques used to trick victims continue to be so simple, but the design and content is so very well-orchestrated. It's very easy to fall into the trap."

While some of the addresses that the malware uses is blocked by the Anti-Phishing Working Group, uncovering and restricting all addresses is an uphill battle that seems more and more improbable with each passing day.

This a really vicious bit of coding. It will hurt you badly and I suspect most banks will find some way to weasel out of their so-called "Security Guarantees" to avoid paying for the resulting damages. There is no choice but to be hyper-vigilant. After my bout with a bit of malware that mimicked my own virus scanner in March I have become very sensitive to these threats. Fixing the problem was both expensive and very time-consuming, something I wish on no one but the malefactors themselves.

By the way, I highly recommend subscribing to the infopackets newsletter. It is free, scrolling down past the adverts is pretty simple, the links work and the information is timely. What more could you ask from a tech newsletter?

No comments: