Last week we have heard about an online shop that sells Iphones. This matter wouldn’t be unusual except for the fact that it is the classic case of phishing. Basically, you access the web thinking you are buying in an Apple’s official shop but, in fact, it’s not. No matter how many Iphones you purchase and pay, you won’t receive any.
I’ve gone a little bit further in order to see how the swindle has been carried out and I’ve been really surprised by the discovery.
They have plenty of resources in order to make you visit their website instead of the official one. We have never seen before a deployment in resources and organization like this.
We’ve already known about the existence of banker Trojans that send all the information they obtain to a server. But in addition, they turn your computer into a bot that is completely controlled by a central server, from which each bot and the stolen information can be managed… Well, I have come across a variation of this framework, which is totally focused on the Iphone swindle.
When a PC is infected by the Trojan, it automatically turns into a bot of the server in question. The first time you connect to the Internet, the Trojan will send several requests to the server, in order to receive some instructions that will be carried out by the Trojan in your computer.
The server sends several data in such a way that when you visit certain websites, you are redirected to other ones without being aware. Up to the moment this can seem normal, but what surprises me most is that as well as being redirected, it is able to display popups and banners, and it can even modify the results offered by the most usual Internet search engines, such as Google, when certain searches are made.
When an infected PC visits www.iphone.com in order to purchase an Iphone, the user will be actually buying it in their website instead of in the official one.
As you can see, they are able to carry out all kind of operations from the control panel, in order to guide us to their Iphone online shop.
Currently, this bot server controls 7519 bots, a number not to be sneezed at.
From the section “COMMANDS ADMIN”, all kind of commands can be sent to the bots, from downloading new executables to restarting the PC.
In “REDIRECTS ADMIN”, the redirection is specified. In order to do so, it is indicated the website the user thinks that they will be visiting and the website that they will be really visiting. As you can see, almost all the redirections belong to Apple websites.
In “SEARCH REDIR”, it is indicated the URLs that will be displayed when the bot makes a search with an Internet search engine, and the words that triggers the redirecting as well.
In “INJECTS ADMIN”, the “injects” are specified, that is, when a bot visits a URL that has been specified, the bot will inject code into the URL, in such a way that, for example, it can modify the links of the website. As you can see, all the injections make reference to Apple’s websites, and they inject code so that when a link of the website is followed, you will be redirected to their “online shop”.
In “POPUPS ADMIN” and “BANNERS ADMIN”, the banners and popups that will be displayed in the bot browser are specified. They always make reference to their online shop of Iphones sale.
We have never seen before a botnet that is specifically dedicated to “guide” its bots when their owners want to buy an Iphone. We can come to the conclusion that it is a very important business for them, above all for the determination with which they have developed it.
It is interesting to see how the most used tools in the world of Trojans and botnets are being used in the world of phishing. This proves that thousands of computer crimes are being committed, and the worst thing of all is that many people all over the world have been victims of these swindles.
This server is currently working and at the moment it is still sending commands to its bots so that the PCs are redirected to their illegal web.
The most interesting thing of all is that not only they can use this management device for one shop, but in a future they can also use it for other shops that offer brand-new and outstanding products, such as the case of the Apple’s Iphones. In fact, the shop is offline right now but I’m sure that they will use their Botnet again with other “Online shops”.
SuperAntivirus's Blog 