Cyber criminals use iCloud SEO poisoning to spread fake AV

Security experts are warning Apple fans searching for more news about the firm's forthcoming iCloud service to beware of poisoned search results that could lead them to fake anti-virus web pages.

Trend Micro fraud analyst Paul Pajares said in a post on the Trend Labs Malware blog that his team had uncovered several attempts by cyber criminals to take advantage of the popularity of the search term.

Many of the malicious URLs returned when a web user types in ‘iCloud' are linked to a compromised news site, MyMobi, said Pajares. One specific instance linked to a phishing site designed specifically for the rogue anti-virus Windows Antispyware for 2012.

"These URLs are not accessible via the URL address bar; rather, they show up in Google searches. We can tell this because the URL needs to have been referred by Google for it to become accessible," he explained.

"From there, they redirect to a FAKEAV URL bearing a top-level domain (TLD) co.cc. The script for downloading the file is similar to the ones usually used in typical FAKEAV malware."

Pajares added that the Trend team has also seen several pages with file names containing "apple" and "icloud" in what look like compromised sites, indicating a "possible co-ordinated mass compromise leveraging these keywords".

Scareware or fake anti-virus remains a massive money-spinner for cyber criminals. Most recently several versions have even been spotted designed specifically to con Mac users.