Hot on the heels of hackers stealing celebrities’ nude photos from their iCloud accounts and posting them on the Web comes news that iCloud users are being targeted again — this time by a botnet.
The Kelihos botnet is sending emails purporting to be from Apple, informing targets they have purchased the film Lane Splitter through their iTunes account using a PC or other device not previously linked to their Apple ID, Symantec reported. It asks them to provide the ID information.
The timing of the campaign may not be a coincidence, Symantec said. The controllers of the botnet could be exploiting public fears about the security of Apple IDs to lure people into surrendering their credentials.
This is not the first such attack on Apple IDs, Symantec noted.
The Anatomy of the Botnet Attack
The email sent from the botnet provides an IP address, supposedly located in Volgograd, Russia, that’s claimed to have been used to make the alleged purchase, Symantec said.
News reports repeatedly have played up Russia as a breeding ground for cybercriminals, which tends to put victims on alert, while at the same time rendering them vulnerable to accepting any solution offered.
Targets are advised that if they did not in fact make the purchase, they should check their Apple ID by clicking an accompanying link.
That link leads to a shortened URL that in turn directs the targets to a fake Apple website where they are asked to submit their Apple IDs and passwords, which the hackers then harvest, according to Symantec.
What’s Going On Here?
The actual identity of the botnet is not immediately clear, although Symantec has identified it as Kelihos, aka “Waledac.”
“Kelihos” is the name of a botnet discovered in 2010 and given that name by Microsoft. Kaspersky called it “Hlux.”
Waledac first was reported in 2008 by Eset.
In April 2009, Eset reported the emergence of Win32/Conficker. Infected PCs tried to access goodnewsdigital.com, which hosted Waledac, to download a new Waledac binary.
Kelihos shares “significant similarities” of code with Win32/Waledac, and that led some to call Kelihos “Waledac 2.0,” according to Microsoft.
That confusion can be seen in a 2012 statement by Dell SecureWorks.
“Who cares?” asked John Prisco, president and CEO of Triumfant, when asked to pin down exactly what the worm behind the botnet is.
“This type of thinking is what’s wrong with cyberdefense today,” he told TechNewsWorld. “It’s the behavior of the malware at the time of attack that’s important.”
Signatures and variants “will have us chasing our tails forever,” Prisco continued. “Use anomaly detection and you won’t fall prey to all these variants.”
Kelihos and Waledac have been taken down before.
Reduce, Reuse, Recycle
For the record, though, “Waledac and Kelihos both send spam, and this is the reason for the confusion,” IT security expert Sorin Mustaca told TechNewsWorld. Both use email to spread but in different ways.
The same group of cybercriminals may have created the code for these worms, because “there aren’t that many cybercriminals who can create a complex piece of software,” Mustaca suggested. “This is just using the old Kelihos [worm] with a new email payload.”
Fixing the Problem
Symantec reiterated well-known practices users can follow to protect themselves: Be suspicious of messages claiming your account has been restricted or needs updating; be wary of links in emails; don’t provide personal information when replying to emails; don’t enter personal information in pop-up pages or windows; and use comprehensive security software.
“This is not Apple’s problem directly,” Mustaca said. “However, they could enforce two-factor authentication and take other steps. Usability drops when you want to make a process more secure, so they need to experiment.”