Aifone.A Bot threatens iPhone buyers

The recent iPhone launch is being exploited by cyber-crooks for financial gain. Panda Labs (makers of Panda Internet Security 2007) has uncovered a tool that controls a botnet made up of over 7,500 zombie computers infected by the Aifone.A bot Trojan. If the user of an infected PC tries to buy an iPhone online, their confidential data might end up in the hands of cyber-criminals.

Here’s how it works: When a PC is infected by the Aifone.A bot Trojan, it automatically turns into a bot of the server in question (ie. it controls your computer over the Internet). The first time you connect to the Internet, the Trojan will send several requests to the server, in order to receive some instructions that will be carried out by the Trojan in your computer.

The server sends data in such a way that when you visit certain websites, you are redirected to other ones without being aware. Up to the moment this can seem normal, but what surprises me most is that as well as being redirected, it is able to display popups and banners, and it can even modify the results offered by the most usual Internet search engines, such as Google, when certain searches are made.

Here’s how it can affect iPhone buyers: When an infected PC visits www.iphone.com in order to purchase an Iphone, the user will be actually buying it in their website instead of in the official one. Users will be giving out their credit card information and payment to the wrong people, which means they won’t be getting an iPhone anytime soon, and it can also lead to identity theft and fraud.

The bot could be also be modified and used to affect users interested in any other product, or even several groups of users simultaneously, which would increase the cyber-criminals’ chances of success.

What you can do:

“This is one of the most sophisticated attacks we have seen targeting a user community, in this case iPhone users. It is a really complex, dangerous attack that combines elements of malware (the Trojan), phishing (the spoofed web page) and even adware (pop-ups, modification of search results, etc.)“, explains Luis Corrons, Technical Director of PandaLabs.

If you think your computer might have been infected by this malware, scan your system with Panda Internet Security 2007. The scan is free and will tell you if your system has been infected.

More Information:

The tool uncovered by PandaLabs has a series of features that allow cyber-crooks to take users of infected computers to a false page that appears to be the iPhone official page. As a result, if the user tries to buy the phone from the spoof page, they will actually be giving their bank details to cyber-criminals.

One of the tabs in the tool, called “REDIRECTS ADMIN”, allows criminals to specify the web pages that the bot must redirect and where they must be redirected to. In this case, the tool sends users that want to visit the iPhone official pages to a false web page.

Another tab, “SEARCH REDIR”, is used to specify the results that the Trojan must display when the infected user performs an Internet search and where they should be redirected to when they click any of the links. Obviously, this will be the false page.

In section “INJECTS ADMIN” it is possible to indicate the links that the Aifone.A Trojan must modify. As a consequence, if the user visits a web page that contains a link to a page dealing with iPhone, they will also be redirected to the false page.

Other tabs, “POPUPS ADMIN” and “BANNERS ADMIN”, allow cyber-crooks to display pop-ups and banners with advertising about iPhone on the infected computer. This aims at enticing users to visit the spoofed web page and buy the phone from it.

Related