iPhone scammers start digging for gold

Online criminals are wasting no time in tagging onto the hyped launch of the iPhone.

The SANS Internet Storm Centre is warning of an e-mail scam that lures in users with the promise of a free iPhone. Recipients who click on the link in the spammed email message however are guided to a webpage that attempts to exploit several known flaws in Microsoft's Internet Explorer browser to recruit the victim to a botnet.

A second attack uses a mixture of social engineering, malware, and cross-site scripting tactics to defraud victims.

The attack is launched when a user visits a specially crafted web page that attempts to exploit a number of previously disclosed vulnerabilities in six and seven to install a Trojan application.

The Trojan activates every time that the user visits either Yahoo.com or Google.com, at which point a pop-up is launched advertising a site named "iPhone.com".

Normally, www.iphone.com will re-direct to Apple's iPhone page. The Trojan however spoofs the iPhone.com domain name and directs users to a fake retail site claiming to be "iphone.com" and using Apple's own logo and iPhone photos.

After filling out the fake order forms, users are then instructed to send payment via wire transfer to an address in Latvia in order to receive the iPhone.

Sunbelt Software chief technology officer Eric Sites recommend that users install the latest security updates for their browser and operating system, and use firewall and antivirus software.

Though the attack currently only targets Internet Explorer, Thomas noted that users should also be vigilant, as the criminal group believed to be behind the attacks has also used Firefox exploits in the past.