Week in security: Free iPhone scams target eager fans

This week offered a lesson in how cybercriminals follow the news, and time their attacks to dupe the unwary – with several different free iPhone scam attacks aimed at iPhone fans, in the week where Apple unveiled its iPhone 6, and searches for everything iPhone went through the roof.

On eBay, a malicious attacker managed to slip malicious links into a listing for used iPhones, with a script directing users outside the site – and  the site didn’t respond to queries for hours.

Naturally, Facebook was flooded with Apple scam pages offering free iPhone 6 units in advance of the launch.

Meanwhile, gamers playing Grand Theft Auto reported a surge in scammers using hacked game software to steal money in online games, a security researcher highlighted problems with the Internet of Things by spending several months making a Canon printer play Doom, and a forgotten file-compression format .ARJ was resurrected… as a tool for cybercriminals.

Free iPhone scams: Bumper crop

It wouldn’t be an iPhone launch without a feast of scams, and this year offered several for the price of one.

This week’s iPhone 6 launch hit Facebook with a ‘thud’, with multiple scams, including the usual offers of free handsets, with Help Net Security noting that a Facebook page ‘offering’ free iPhone 6 units (in advance of the launch) was, as usual, a total fraud.

This time, the scam promised a free iPhone 6 as soon as “three easy steps” are completed, which, as usual, involved a survey, which allowed you to download a “participation application.”

When a victim completes the free iPhone 6 survey, all their friends are spammed with the fake promotion, Hoax Slayer revealed, but the three “easy” steps are anything but. Each time someone completes a survey, the page claims there is an error, and they are directed to a further survey, according to Help Net. As always, the “free iPhone 6” never materializes.

Auction scams hit Apple fans

Meanwhile, with searches for “iPhone” at an annual high, scammers targeted eBay with malicious auction listings, with scripts which directed victims outsidte the site.

The listing, which offered cheap iPhones for sale, contained a malicious script which directed site users outside eBay to a site which resembled the auction site, but harvested usernames and passwords, according to TameBay.

It was discovered by British IT worker Paul Kerr, according to veteran security researcher Graham Cluley – but was not removed until 12 hours later, when a call from the BBC prompted the site to react.

Not-so-grand thefts hit GTA

Online gaming is never entirely free of cheaters running hacked software – but GTA Online seems to have erupted in a positive plague of thefts. Gamers have reported losing millions of dollars to hackers running customized software which allows them to steal weapons, loot money, and even make people blow up in their own apartments, according to prominent Grand Theft Auto V YouTube reporter DomIsLive, who devoted an issue of his daily show to GTA V hacks this month.

Yahoo News reports that multiple players have been affected by glitches in online games, described variously as “unfairly modded”, ie using in-game tools, or simply as “hacked”.

DomIsLive, who has nearly half a million subscribers on YouTube, says that several of his commenters reported losing “millions” in online games which had seemingly been hacked.

On Rockstar’s forums, various gamers complain about having lost large sums of in-game currency to similar GTA V hacks. DomIsLive claims to have seen multiple threads on the forums relating to the same or similar hacks.

Canon printer plays Doom

The news that a security researcher devoted months to making a printer play Doom might seem funny – but there’s a serious side to the research, which highlighted a serious vulnerability affected connected printers and could have implications for all Internet of Things devices.

Printer giant Canon is to provide a security fix “as quickly as is feasible” after security researcher Michael Jordon exploited vulnerabilities in one of its wireless PIXMA products to run the classic shoot ‘em up game Doom on its color display.

Jordon told the BBC in an interview, “Running Doom: that’s real proof you control the thing. The web interface has no username and password on it.”

Canon said that all new products would have a fix added as soon as possible, and that the fix would retroactively apply to products launched from 2013 onwards.

A search using Shodan (a specialist search engine which finds specific types of devices connected to the internet), revealed thousands of unsecured machines connected directly to the internet.

Persuading the printer to run Doom took “months”, he admits, but the issue is a serious one. Even printers not directly connected to the internet can fall victim, he said, by persuading their owners to click on a bogus link.

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.