iPhone Lure Used in Hacker Exploit

The iPhone hype makes it a natural target -- by scammers looking to sell Apple's first cell phone for a huge markup, and also by hackers looking to add to their bot networks.

Within hours of the iPhone's release, a social engineering e-mail went out with the subject line "Congratulations, you have won a new iPhone from our store!" Following the link in the e-mail takes an unsuspecting user to a Web site that attempts to load a rootkit on the user's computer.

The attack is one, according to security vendor Secure Computing Corp., that was used in a widespread attack on about 10,000 Italian Web sites about two weeks ago.

The attack "is a two-phase download," according to Paul Henry, vice president of technology evangelism for Secure Computing. A user "gets the e-mail, and clicks on the link to get the iPhone. That takes them to a Web site in Malaysia." The Malaysian Web site looks for Active X exploits, and if it finds a hole, the browser is directed to a second Web site, this one in New Jersey, that loads the rootkit on the computer.

Once the rootkit is installed, it's virtually impossible for the average user to find. Henry said that further analysis this morning resulted in Secure Computing identifying the toolkit. It's the "mpack" toolkit, version 0.93 or higher.

Henry emphasized that it's not an iPhone vulnerability. "This exploit is not for the iPhone. This is a browser exploit," he said in an interview.

A potentially serious exploit. Henry said, "Any Windows PC user that clicks [the e-mail] can immediately be comprised. The PC will be turned into a spambot," part of an army of computers networked together to blast spam to the world. And since it's a rootkit, it would be easy for a hacker to update the malware to add things such as a keylogger, which could steal a user's passwords and other sensitive material.

The best advice, as always, is to remind users on a network to never click a link that they're sure is safe. Other actions to take as a safeguard include using an anti-malware scanning product which scans HTML code, and URL filtering products.

As of Monday afternoon, Henry said, the exploit hasn't spread like wildfire, but that shouldn't make users feel safe. In fact, both malicious sites in Malaysia and New Jersey were still up and running when he last checked. "It's a relatively small distribution [so far], but we expect that to continue to grow," he predicted.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft Adds Privileged Identity Management Delegation to Azure Lighthouse

    The commercial release of Privileged Identity Management (PIM)-enabled Azure Lighthouse delegations is now available, Microsoft on Monday announced.

  • Microsoft Commercially Releases Entra Workload Identities

    Microsoft announced on Monday that its Entra Workload Identities service is now available as a commercial product offering, having reached the "general availability" stage.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • OpenSSF Adopts Microsoft Open Source Software Security Guidelines

    The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.