Tuesday, October 5, 2010

Fake Apple iTunes Receipts Used as Malware Tool

Posted by OurTech Team | Tuesday, October 5, 2010 | Category: , , |

PandaLabs said Monday that the company has discovered fake iTunes receipts that have begun to be sent to users in an attempt to steal personal details.
Ironically, the attack vector is via Flash - a technology Apple refuses to use for its alleged security weaknesses.
According to PandaLabs, the research arm of antivirus vendor Panda Security, users are sent a "receipt" from iTunes that looks completely authentic, with no telltale spelling errors or issues with the image's source code. However, an image posted to the PandaLabs blog had obvious problems with the bill's total, most likely to provoke the user to take action.
The attack begins when the user is invited to click a link to "report a problem".
"After clicking the link, the victim is asked to download a fake PDF reader," PandaLabs said. "Once installation is complete, the user is redirected to an infected Web page containing the Zeus Trojan, which is specifically designed to steal personal data. This phishing attack was uncovered shortly after a similar phishing attack targeting LinkedIn users appeared last week, which appears to have originated in Russia."
Earlier this year, Apple chief executive Steve Jobs posted a note on the Apple Web site that said Apple products would not include support for Flash because the technology is closed, unstable, and antiquated. Adobe responded by saying it would focus its attention on Android apps.
In September, Apple said it would still prohibit Flash to be executed within the Apple iPhone OS browser, but that it would relax its developer guidelines somewhat.
Not surprisingly, PandaLabs urged users to be careful of emails that could possibly hide a link to an site hiding malware.
"Phishing is nothing new," said Luis Corrons, technical director of PandaLabs, in a statement. "What never ceases to surprise us is that the techniques used to trick victims continue to be so simple, but the design and content is so very well-orchestrated. It's very easy to fall into the trap. When using services such as iTunes, it is absolutely crucial that users never go to the website via email, but rather from the platform itself where they can verify their account status."

Currently have 0 Comments:

Leave a Reply