SA’s iPhone launch exploited by “pharming” attack

A Trojan purporting to be a video of the iPhone is at the centre of a new pharming attack.

The malicious payload of the Trojan can result in users being redirected to fraudulent web pages when they try to access their online bank. The aim is to steal confidential user information

Panda Security has revealed that the launch of Apple’s iPhone in countries such as South Africa is being exploited by cyber-crooks as bait for attracting users and infecting them with malware.

The latest case involves a new pharming attack using the Banker.LKC Trojan. Victims of this attack could find their bank details end up in the hands of cyber-crooks.

“Pharming is a sophisticated version of phishing,” explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “It involves manipulating the DNS (Domain Name Server) through the configuration of the TCP/IP protocol or the host file. The DNS servers store the numeric address or IP address (e.g. associated to each domain name or URL. The result of the cyber-criminals’ interference is that when a user enters the name of a web page, the server redirects him to another number, i.e. another IP address hosting a fraudulent Web page, designed to have the appearance of the original page.”

In this case, the Banker.LKCTrojan is responsible for the manipulation of the DNS. This malicious code reaches systems under the name “VideoPhone[1]_exe”. In order to trick users, once it is run it opens a browser window displaying a website selling the iPhone (see image at: While users are viewing this page, the Trojan modifies the hosts file, redirecting URLs of banks and other companies to a false web page. This way, users trying to access these banks by typing in the address or accessing them from an Internet search will be redirected to the spoof page. Here they will be asked for confidential details (account number, transaction password, etc.) – confidential information which ends up into the hands of cyber-crooks.

The manipulation of the hosts file does not cause any other suspicious effect on the computer. In fact, the entire fraud is carried out without arousing the suspicion of users, as all they need to do to become a victim is to enter the address of the bank. This makes the attack even more dangerous.

“The iPhone is used in this case as bait to attract users into running the file containing malicious code,” says Matthews. “Cyber-crooks are aiming to use the information they gather to empty users’ accounts.”

How to protect yourself against pharming

When you connect to a page on which confidential details are requested make sure that the URL is the same as the one you typed and that there are no additional letters or numbers, etc.

Check the security certificate of the sites you visit. Any reliable e-commerce business will have security certification for its servers issued by a recognized security authority.

Make sure you have effective, up-to-date antivirus protection, because, as is the case here, the DNS modification is often carried out with malicious code.