• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Searches for iCloud Unveil FAKEAV

Searches for iCloud Unveil FAKEAV

  • Posted on:June 20, 2011 at 12:08 am
  • Posted in:Bad Sites, Malware
  • Author:
    Paul Pajares (Fraud Analyst)
9

Everyone’s talking about the upcoming iCloud, Apple’s newest cloud service offering. From Steve Jobs’ announcement earlier this month at the annual “Worldwide Developers Conference (WWDC)” to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several cybercriminal attempts to peddle FAKEAV malware by taking advantage of the “iCloud” keyword.

Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger the rise of malicious URLs that lead to pages hosting FAKEAV malware in search engine results pages. These blackhat SEO techniques use Google as referrer to run the malicious file download. In this case, the file downloaded named SecurityScanner.exe has been detected by Trend Micro as TROJ_FAKEAV.HKZ.

Click for larger view

Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site containing gadget information. We previously blocked the site because of malicious activities but since it appears that the site has since then cleaned, it is now unblocked. In the image above, the domain mymobi.com has been infected with files with the extension name .php3 and riddled with “icloud” as keyword. In this instance, hackers insert topics containing keywords to gain high page rankings in Google search results as phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.

Click for larger view

These URLs are not accessible via the URL address bar. These instead show up in Google searches. We can say this is so because the URL needs to been referred by Google in order to become accessible. From there, these redirect users to a FAKEAV URL with co.cc as top-level domain (TLD). The script for downloading the file is similar to the ones usually used by typical FAKEAV malware.

Running the downloaded file SecurityScanner.exe or TROJ_FAKEAV.HKZ installs the fake antivirus program XP Antispyware 2012. The program contains a registration button. When clicked, users are redirected to a phishing site with a newly created domain that contains the “Choose Plan & Checkout” option to purchase XP Antispyware 2012. The FAKEAV malware also blocks Web browsers, Internet Explorer (IE) and Google Chrome from surfing the Internet unless users purchase the product.

Click for larger view

Because we realize the possibility that users may search for information about iCloud, we are currently monitoring possible FAKEAV URLs with the TLD co.cc using the keyword “icloud.” We have seen some stray results that may come up with search terms like “what is apple icloud” or “what is icloud apple” but the results are too far from the top to affect a lot of users. We have also seen several pages with file names containing “apple” and “icloud” in what appears to be compromised sites, suggesting a possible coordinated mass compromise leveraging these keywords.

Users may refer to the following blog entries as reference for this blackhat SEO-FAKEAV threat:

  • Domain-Hopping Tactics in Blackhat SEO
  • Doorway Pages and Other FAKEAV Stealth Tactics
  • FAKEAV 101: How to Tell If Your Antivirus Is Fake

Update on June 20, 2011, 7:41 PM PST: As stated above, we’re continuously monitoring this and have observed that the compromised URLs are still alive. We are blocking the specific URLs to prevent Trend Micro product users with Web Threat Protection enabled from being led down this road.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: compromised sitesFakeAViCloudMalware

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.