Everyone’s talking about the upcoming iCloud, Apple’s newest cloud service offering. From Steve Jobs’ announcement earlier this month at the annual “Worldwide Developers Conference (WWDC)” to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several cybercriminal attempts to peddle FAKEAV malware by taking advantage of the “iCloud” keyword.
Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger the rise of malicious URLs that lead to pages hosting FAKEAV malware in search engine results pages. These blackhat SEO techniques use Google as referrer to run the malicious file download. In this case, the file downloaded named SecurityScanner.exe has been detected by Trend Micro as TROJ_FAKEAV.HKZ.
Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site containing gadget information. We previously blocked the site because of malicious activities but since it appears that the site has since then cleaned, it is now unblocked. In the image above, the domain mymobi.com has been infected with files with the extension name .php3 and riddled with “icloud” as keyword. In this instance, hackers insert topics containing keywords to gain high page rankings in Google search results as phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.
These URLs are not accessible via the URL address bar. These instead show up in Google searches. We can say this is so because the URL needs to been referred by Google in order to become accessible. From there, these redirect users to a FAKEAV URL with co.cc as top-level domain (TLD). The script for downloading the file is similar to the ones usually used by typical FAKEAV malware.
Running the downloaded file SecurityScanner.exe or TROJ_FAKEAV.HKZ installs the fake antivirus program XP Antispyware 2012. The program contains a registration button. When clicked, users are redirected to a phishing site with a newly created domain that contains the “Choose Plan & Checkout” option to purchase XP Antispyware 2012. The FAKEAV malware also blocks Web browsers, Internet Explorer (IE) and Google Chrome from surfing the Internet unless users purchase the product.
Because we realize the possibility that users may search for information about iCloud, we are currently monitoring possible FAKEAV URLs with the TLD co.cc using the keyword “icloud.” We have seen some stray results that may come up with search terms like “what is apple icloud” or “what is icloud apple” but the results are too far from the top to affect a lot of users. We have also seen several pages with file names containing “apple” and “icloud” in what appears to be compromised sites, suggesting a possible coordinated mass compromise leveraging these keywords.
Users may refer to the following blog entries as reference for this blackhat SEO-FAKEAV threat:
- Domain-Hopping Tactics in Blackhat SEO
- Doorway Pages and Other FAKEAV Stealth Tactics
- FAKEAV 101: How to Tell If Your Antivirus Is Fake
Update on June 20, 2011, 7:41 PM PST: As stated above, we’re continuously monitoring this and have observed that the compromised URLs are still alive. We are blocking the specific URLs to prevent Trend Micro product users with Web Threat Protection enabled from being led down this road.