iOS7, the next iteration of Apple’s operating system for the iPhone, iPad and iPod Touch, will be discussed at the Apple developer conference WWDC (San Francisco, kicking off 10 June), probably released to developers thereafter, and possibly released to the public in September. There is already intense interest, with rumors, insights and gossip circulating among the Apple cognoscenti. A Google search on ‘iOS7’ today provided more than 3.5 million hits for a product that is months from launch; and as the weeks progress, interest will only grow.
This interest has not been lost on cybercriminals. Websense has already discovered a website getting ready to take advantage of iOS7-mania. ios7news.net may sound like the perfect place to get the lowdown on what Apple is doing, but it is designed to give you a nasty infection rather than useful information. “As gossips circulate news in the wild about iOS7 after the D11 conference presented by Apple CEO Tim Cook,” noted Websense in a recent blog posting, “cybercriminals are setting up a foundation for phishing and malicious activities.”
Websense researchers came across ios7news.net, which was registered some three weeks ago. It is not a finished website, but seems to be in preparation as a phishing site to take advantage of growing interest in iOS7. With its name, it could be used as part of mass spam phishing, or even targeted spear-phishing, with the latest news on Apple developments as the lure. Websense believes its purpose is to deliver ransomware – more specifically, version 5 of Silence Locker.
The index page just provides a list of malware, but includes a folder called ‘vl’. Inside that folder Websense found “the control panel for the ransomware toolkit called "Silence Locker". In this case, we are viewing version 5, which is one of the latest released in 2013. As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims.”
As Websense continued its investigation, it found that the website’s IP address is used by other phishing domains. For example, “the domain ‘hxxp://gamingdaily.us’ is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife.” The implication is clear: iOS7news.net is not an iOS7 news site, but a very dangerous malicious site ‘under construction’ – and it is probably just one of many that will appear over the next couple of months. Users should take this as an advance warning not to just click on any link that offers the latest news on something of interest; and especially if that site is ios7news.net, because, surprisingly, Chrome still allows users to go there. It’s probably best not to.