Enterprise security company, Secure Computing is warning of a new spam scam with an email containing the message: "Congratulations, you have won a new iPhone from our store!"

This message links to a malware-downloading website, where those that fall for it are immediately bombarded with more than 10 ActiveX vulnerabilities that attempt to gain access to install a malicious payload —including the MSODataSourceControl vulnerability that Secure Computing Corp. said it warned users about just two weeks ago.

The website is tracking visitors on the site and then redirecting repeat visitors to a different, clean webpage in efforts to thwart security researchers as well as using XOR encryption to obfuscate the attack, the company said.

Secure Computing also says its researchers have reverse-engineered the code and are prepared to share their findings, examples, and more. The malware includes a rootkit / spam bot that enables a bot herder to remotely control people's PCs to send spam; tomorrow, it has the possibility updating its code for other nefarious tasks such as key logging to steal users' credentials on the compromised PC for use in ID theft.

"This yet again confirms the expanding trend in web-borne malware. Because of the popularity of the iPhone brand this is the first in what's bound to be a series of scams involving the iPhone," said Secure Computing vice president of technology evangelism, Paul Henry.

According to the company, the initial activity of the rootkit/spam bot malware is to incorporate the compromised PC into a spam sending botnet. Because the malware is rootkit-based, it would be a simple matter for the malicious hacker to at any time update the malware to include other nefarious tasks, such as key logging on the compromised PC to capture the user's financial credentials for use in ID theft.

"Secure Computing has recently seen other evidence of web-borne malware propagating through the use of fake video-hosting sites and fake greeting card messages," Henry added.