Trend Micro Content Security engineers just received a timely Apple Store phishing email. This attack comes well after Apple introduced the 3G iPhone to the consumer market early last month—and conveniently nestled the week before it actually becomes available in stores (in most countries) next week.

Figure 1. Hovering your mouse above the link shows its real destination.

The URL loads the following phishing page that asks the user for personal information, such as the user’s credit card type, credit card number, expiration date, security code, billing address and social security number:

Figure 2.The phishing page features the same sleek Apple Store interface, but don’t be fooled.

This phishing page, like most other phishing attacks we’ve detected and filtered out, uses an insecure protocol (exhibited also by the lack of the lock icon). Knowing this useful tidbit can save target victims from losing their online identities to cyber criminals. Phished Apple credentials give fraudsters access to the Apple store, iTunes store, iPhoto, Apple product registration, and AppleCare services, and most important, the account holder’s credit card information.

Trend Micro users are already safe from threat. The rest, especially Apple customers, are likewise advised to use only their clean bookmarks when visiting sites where sensitive information are likely to be given out.

Security analysts mark a secret social events calendar in their heads for good reason. Malware writers have been known to launch offensives using timely celebratory-themed email messages to get users to click on links or open files. Nifty social engineering tricks like these also effectively distract users from the real action: Trojans getting a foot in the door (of target PCs). Independence Day, which is a day of fireworks, floats, and picnics for the United States, is no different.

On the Storm-chasing front we were able to capture spam leveraging the Independence Day festivities, a few of which are shown below:

Subject: Spectacular fireworks show
Body: The best firework you’ve ever seen

Subject: Independence Day firework broke all records
Body: Fabulous Independence Day firework

Subject: Long Live America
Body: Celebrate with Pride

Links contained in messages connect users to the following IP addresses:

1. hxtp:// 66.{BLOCKED}.{BLOCKED}.222/
2. hxtp:// 24.{BLOCKED}.{BLOCKED}.159/
3. hxtp:// 67.{BLOCKED}.{BLOCKED}.202/
4. hxtp:// 68.{BLOCKED}.{BLOCKED}.252/
5. http:// 24.{BLOCKED}.{BLOCKED}.92/
6. http:// 68.{BLOCKED}.{BLOCKED}.164/

All except the last two of the listed IP addresses are unavailable as of this writing. Investigations by our threat researchers reveal that clicking on the links trigger the download of the files fireworks.exe-1 and fireworks.exe-2, both detected by Trend Micro as WORM_NUWAR.VQ.

However, it seems not only Storm is keen on leveraging on the July 4 celebrations. Our threat researchers have seen a spammed email message that reads like so:

From: E Greetings
Subject: You just received an E-Greetings for the 4′th of july

Body:
Greeting

Hello ,
A Greeting Card for the 4′th of july is waiting for you at our virtual post office! You can
pick up your postcard at the following web address:

ptth:\\www.{BLOCKED}ngs.com/u/view.php¿id=a0190313376667

visit E-Greetings at ptth:\\www.{BLOCKED}ngs.com//
and enter your pickup code, which is: a0190313376e667

(Your postcard will be available for 60 days.)

Compulsive clickers will find themselves downloading a 800+ Kb Trojan named july.exe from malicious domain l-g.ro instead of the e-greet. We detect this file as TROJ_DROPPER.OAC. When this file is opened, it drops and extracts a temporary CAB file in the temp folder. The CAB contains dr.mrc and mirc.ini which are likewise malicious (IRC_ZAPCHAST.BI and Mal_Zap, respectively).
It also dumps several non-malicious files in the same location. IRC_ZAPCHAST variants are a type of script that executes within an mIRC environment where a remote malicious user can issue certain commands on an affected PC, thereby compromising it.

Users in the United States are advised to be wary of similarly-themed email messages they receive in their inboxes within and around the week of Independence Day celebrations. Trend Micro users are already protected from this threat because of the Smart Protection Network.

Please stand by. We’ll give you updates on these malware’s final agenda. So far, we already block the malicious URLs and detect the dropper and IRC malware. Mal_Zap is a heuristic detection that flags files behaviorally and characteristically similar to IRC_ZAPCHAST variants. This is a proactive detection that protects Trend Micro customers even before we receive an actual sample of the file. Our threat engineers are also currently investigating the routines of WORM_NUWAR.VQ.

UPDATED on 17 July 2008: TROJ_DROPPER.OAC drops IRC_ZAPCHAST.BI along with a spoofed mIRC v. 6.0.3.0, a list of servers, and a configuration file. The dropper executes the spoofed mIRC which loads the malcious script. The spoofed mIRC opens ports 6664 to 6667 to connect to a server. Since TROJ_DROPPER.OAC creates an autostart entry for the spoofed mIRC, the user does not need to have an IRC installed on the system or to be an IRC user to have this malware execute on the affected PC.