iPhone Lure Used in Hacker Exploit

The iPhone hype makes it a natural target -- by scammers looking to sell Apple's first cell phone for a huge markup, and also by hackers looking to add to their bot networks.

Within hours of the iPhone's release, a social engineering e-mail went out with the subject line "Congratulations, you have won a new iPhone from our store!" Following the link in the e-mail takes an unsuspecting user to a Web site that attempts to load a rootkit on the user's computer.

The attack is one, according to security vendor Secure Computing Corp., that was used in a widespread attack on about 10,000 Italian Web sites about two weeks ago.

The attack "is a two-phase download," according to Paul Henry, vice president of technology evangelism for Secure Computing. A user "gets the e-mail, and clicks on the link to get the iPhone. That takes them to a Web site in Malaysia." The Malaysian Web site looks for Active X exploits, and if it finds a hole, the browser is directed to a second Web site, this one in New Jersey, that loads the rootkit on the computer.

Once the rootkit is installed, it's virtually impossible for the average user to find. Henry said that further analysis this morning resulted in Secure Computing identifying the toolkit. It's the "mpack" toolkit, version 0.93 or higher.

Henry emphasized that it's not an iPhone vulnerability. "This exploit is not for the iPhone. This is a browser exploit," he said in an interview.

A potentially serious exploit. Henry said, "Any Windows PC user that clicks [the e-mail] can immediately be comprised. The PC will be turned into a spambot," part of an army of computers networked together to blast spam to the world. And since it's a rootkit, it would be easy for a hacker to update the malware to add things such as a keylogger, which could steal a user's passwords and other sensitive material.

The best advice, as always, is to remind users on a network to never click a link that they're sure is safe. Other actions to take as a safeguard include using an anti-malware scanning product which scans HTML code, and URL filtering products.

As of Monday afternoon, Henry said, the exploit hasn't spread like wildfire, but that shouldn't make users feel safe. In fact, both malicious sites in Malaysia and New Jersey were still up and running when he last checked. "It's a relatively small distribution [so far], but we expect that to continue to grow," he predicted.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft Previews Whiteboard Support in Teams Rooms Devices

    A preview of a new Microsoft Teams Rooms feature will enable organizations to use images of physical whiteboards as a dynamic space for videoconferencing.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Microsoft Warns of Heightened Threat of 'BlueKeep' Attacks

    Older Windows systems using Microsoft's Remote Desktop Services are at acute risk of remote code execution attacks due to the "BlueKeep" vulnerability.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.