Panda Security detects malicious trojan used for iPhone ‘pharming attacks’
Posted by Dennis Sellers 
Sep 24, 2008 at 3:23pm
Panda Security, a provider of IT security solutions, says PandaLabs, Panda Security’s laboratory for detecting and analyzing malware, has determined that Banker.LKCTrojan, a Trojan purporting to be a video of the iPhone, is at the center of new pharming attacks to infect users with malware.
The aim of these pharming attacks is to steal confidential user information. The malicious payload of the Trojan can result in users being redirected to fraudulent web pages when they try to access their online bank. Victims of this attack could find that their bank details end up in
the hands of cyber-crooks, say the folks at Panda.
Pharming is a sophisticated version of phishing. It involves manipulating the DNS (Domain Name Server) through the configuration of the TCP/IP protocol or the host file. The DNS servers store the numeric address or IP address (e.g. 62.14.63.187.) associated to each domain name or URL (e.g. www. mibanco.com). The result of the cyber-criminals’ interference is that when a user enters the name of a web page, the server redirects him to another number, i.e. another IP address hosting a fraudulent web page, designed to have the appearance of the original page.
In this case, the Banker.LKCTrojan is responsible for the manipulation of the DNS. This malicious code reaches systems under the name “VideoPhone1_exe”. Once it’s run, and in order to trick users, it opens a browser window (shown below) displaying a web site selling the iPhone.
While users are viewing this page, the Trojan modifies the host’s file redirecting URLs of banks and other companies to a false web page. This way, users trying to access these banks by typing in the address or accessing them from an Internet search will be redirected to the spoof page. Here they will be asked for confidential details (account number, transaction password, etc.) which will be falling straight into the hands of cyber-crooks.
The manipulation of the host’s file doesn’t cause any other suspicious effect on the computer. In fact, the entire fraud is carried out without arousing the suspicion of users, as all they need to do to become a victim is enter the address of the bank. This makes the attack even more dangerous.
Luis Corrons, technical director of PandaLabs, says here’s how to protect yourself against pharming:
° When you connect to a page on which confidential details are requested make sure that the URL is the same as the one you typed and that there are no additional letters or numbers, etc.
° Check the security certificate of the sites you visit. Any reliable e-commerce business will have security certification for its servers issued by a recognized security authority. There are several certification authorities, although Verisign is the most widely recognized.
° Make sure you have effective, up-to-date antivirus protection, because, as is the case here, the DNS modification is often carried out with malicious code.
“Macsimum News” is a proud supporter of Planet Gumbo, which feeds the hungry. We urge you to help them in their efforts.
Leave a comment ⇒
Please post the article topic & comment in our forums. No registration required.
Article Information
Comment on this Article Print this Article Email this Article Digg This
Contributor
Dennis Sellers
Dennis has been a newspaper editor/reporter (seven years) and teacher (seven years). He has over 4,000 magazine, newspaper and online articles to his credit. He has also covered the Mac and tech industries for over a decade for such online publications as MacCentral, MacMinute and now MacsimumNews.
