A new phishing scam targeting Apple iPhone fans is circulating an effort to draw users to a malicious Web site which distributes a payload of obfuscating malware instead of the coveted gadget.
The exploit comes in the wake of the phone's June 29 US release, and coaxes users into visiting the site by promising a free iPhone. The site uses 10 recently discovered Active X vulnerabilities to install a MSODataSourceControl-based payload which installs rootkit-hidden malware on the victim's machine, and uses encryption to hide the attack.
Secure Computing vice president of technology evangelism Paul Henry said the Web site tracks visitors and redirects them to a clean page in an attempt to thwart security researchers.
"This threat is particularly insidious because the scripts within the HTML code returned to the user contain exploit code for multiple vulnerabilities, improving the hacker's chance of gaining access to install the malware," Henry said.
"While most organizations inspect the traffic directed to their Internet-facing Web servers, many do not inspect the traffic that is returned to their internal users."
Once infected, the iPhone-hopeful's machine becomes a zombie in the hacker's spam botnet where it can be updated with additional malware such as key loggers to capture the victim's financial credentials.
Henry said the scam will spearhead an inevitable surge of iPhone-related security issues due to its hype and timely release.
The iPhone has also been attacked on the user side by hackers aiming to unlock the phone from its AT&T cellular network.
Swapping the AT&T Subscriber Identity Module [SIM] card used with the iPhone for a SIM card from another carrier results in an error message that reads, "Incorrect SIM. This iPhone must be used with an approved SIM".
Web sites including Hackint0sh and the iPhone Dev Wiki have tracked the unlocking efforts to date which look promising considering previous successful attempts on Nokia, Siemens and Motorola mobile phones.
The iPhone uses a SIM card, a removable smart card that contains a user's phone number, as well as limited storage space for contacts and messages.
A removable SIM card is a good sign for hackers, because it indicates the phone is locked using firmware, which could be cracked.
Also, the iPhone battery has come under fire from the US Foundation for Taxpayers and Consumer Rights (FTCR) when the board's CEO Randall Stephenson asked Apple to inform users that it is not user-replaceable.
Although Apple doesn't specifically say the battery cannot be replaced by users, early examinations of the iPhone's innards confirmed that it would be nearly impossible. iFixIt.com, which conducted one of the first iPhone 'tear-downs', noted that the battery is soldered to the device's logic board; a second tear-down by AnandTech.com photographed the battery's leads in close-up, which clearly showed the soldering.
Under the iPhone's standard one-year warranty, Apple will replace the battery free of charge if it drops below 50 percent of original capacity.