Over this weekend, McAfee Avert Labs tracked down a phishing website that claims to be selling the first 25,000 exclusive sets of Apple iPhones. This turns out to be the works of Phish-BuyPhony, a trojan designed to redirect and masquerade legitimate websites to a malicious phishing website on the victim’s browser. The evil plan is to entice victims into buying limited iPhones that never gets delivered from the fake website, and making payment through Western Union or MoneyGram to a guy in Latvia.

To improve its chances, the malware tracks the victim’s web activity and spawns a popup advertisement when the victim browses upon Apple’s official website, or popular search engines such as Google or Yahoo.

When clicked, the victim is brought to www.iphone.com, a normally legitimate webpage that is redirected to www.apple.com/iphone/. In an infected scenartio, the webpage loads a phishing website instead, from the iesecurityupdates.com domain.

The phishing website even displays a TRUSTe icon. When the victim clicks on the TRUSTe icon, it displays a fake validation page for www.iphone.com as a certified participant in the TRUSTe privacy program. This webpage does not come from truste.org, but is hosted on the malicious iesecurityupdates.com domain.

 Normally, this website displays the following data:

This phishing website is hosted on a server that was last known to be associated with several HTool-MPack exploits. We’ve just discussed loosely managed web domains repeatedly used to host new malware in a recent blog, and Phish-BuyPhony simply adds to the list.

More screen shots and details of Phish-BuyPhony at: