iPhone scammers start digging for gold

Online criminals have wasted no time in exploiting Friday's much-hyped launch of the iPhone. 

The Sans Internet Storm Centre has warned of an email scam that lures users with the promise of a free iPhone. 

Recipients who click on the link in the message are guided to a webpage that attempts to exploit several known flaws in Microsoft's Internet Explorer browser to recruit the victim to a botnet.

A second attack uses a mixture of social engineering, malware and cross-site scripting to defraud victims.

The attack is launched when a user visits a specially crafted web page that attempts to exploit a number of previously disclosed vulnerabilities in Internet Explorer 6 and 7 to install a Trojan application. 

The Trojan activates every time the user visits Yahoo.com or Google.com, at which point a pop-up is launched advertising a site named iPhone.com. 

Normally, www.iphone.com will redirect to Apple's iPhone page, but the Trojan spoofs the iPhone.com domain name and directs users to a fake retail site claiming to be iphone.com and using Apple's logo and iPhone images. 

After filling out the fake order forms, users are instructed to send payment via wire transfer to an address in Latvia in order to receive the iPhone.

Eric Sites, chief technology officer at Sunbelt Software, urged users to install the latest security updates for their browser and operating system, and use firewall and antivirus software. 

The attack currently targets Internet Explorer, but Thomas said that Firefox users should also be vigilant, as the group believed to be behind the attacks has used Firefox exploits in the past.