Cyber-criminals are targeting phones and bank info
POSTED: Thursday, February 21, 2013 - 3:19pm
UPDATED: Thursday, February 21, 2013 - 7:29pm
As recent high-profile attacks at major companies like Facebook and Apple, major publications like the New York Times and Washington Post and the U.S. government itself have made clear, cyber-crime is a very real and growing concern for everyone.
The latest threat report from security firm McAfee highlights the need for vigilance on mobile devices and a change in how people and companies approach security.
Smartphones and tablets are increasingly hot targets for cyber-criminals, and the volume of mobile threats is growing much faster than it did for PCs. The amount of malware detected by McAfee on the devices in 2012 was 44 times what it was the previous year.
The company estimates that 95% of all mobile malware ever devised has been created in the past year alone, and the vast majority of that is made for the Android operating system.
But McAfee's worldwide chief technology officer, Mike Fey, warns against looking at the the number of threats targeting Android and assuming that other platforms are safer. Hackers are targeting the operating system partially because it is so open, and also because they tend to focus on the platform they think will be around the longest.
What makes these portable devices such juicy targets for criminals is that they are rife with personal and financial information. For example, many phones have banking features baked in, and criminals can use "Trojan horse" viruses to milk them dry using SMS services that charge per text.
Malware isn't even the biggest issue for mobile users at the moment, says Fay. Phone owners should be more concerned about visiting a site that will do something malicious on their behalf.
"A huge amount of mischief on the Internet happens without anything being downloaded," said Fey.
It's much easier to execute these kinds of scams on smartphones than on desktop computers. With small screens and pared-down mobile sites, a hacker can create a legitimate-looking banking site and trick the person into entering personal information needed to access an account, such as an account number, password and mother's maiden name.
Many intrusions begin in this type of simple way, often with a bad link in an e-mail or on a social network or a webpage that directs a person to a compromised or malicious site.
"There's a reason why those old-school attacks keep getting used," said Fey. "They work."
The McAfee report found that the volume of suspicious URLs jumped significantly in late 2012, averaging 4.6 million a month. In addition to mimicking sites to phish for information, the links can download malware onto a mobile device.
That software can send private data like passwords back to the attackers, or it can add the computer to a botnet -- a network of infected computers controlled by hackers.
The software is downloaded so quickly that most people won't even notice. It's no longer the case that a computer will feel sluggish if there's malware installed, points out Fey. Decent malware won't even be noticeable.
Apple and Facebook traced their recent breaches to similar incidents. Employees visited hacked sites for developers that installed malware on their machines. These hacks, along with Twitter's January breach that resulted in 250,000 user accounts possibly being compromised, were the work of Eastern European gangs searching for intellectual property or other information to resell, according to Bloomberg.
A recent report from security company Mandiant described what it believed to be a powerful computer-hacking operation in Shanghai run by the Chinese military. This alleged high-tech espionage targets U.S. companies in an attempt to steal trade secrets. The issue is so serious that the U.S. government released an extensive report on Wednesday that includes instructions for corporations on how to improve their security.
Regular people will not be immune to the problems plaguing corporations and governments, according to Fey. Once these weapons, such as malware, are out in the world, they spread. Hackers can steal the code written by one government and use it to go after other targets.
While the origins of recent attacks have been grabbing headlines, Fey warns against turning all of our attention to the "bad guys" instead of the systemic security issues on the companies' side.
"It's not about who's attaching you, it's about the fact that you're vulnerable," said Fey. He said putting a face on the cyber-criminals "makes it sound like you can go negotiate with an entity to stop them. That's never been the case with cyberattacks."
The current approach of discovering threats, then fighting them, has to change, according to Fey; he called it "a thousand percent unsustainable."
New threats are popping up constantly, creating a never-ending game of security whack-a-mole.
There are new highly sophisticated attacks that insert themselves below the operating system and can steal all a device's data before wiping it clean. Ransomware is on the rise, in which a criminal steals data or takes control of a computer or mobile device, only releasing their hold when they receive payment. A new attack called Blitzkrieg uses phishing schemes to install a Trojan, which monitors web traffic and scrapes banking information in order to transfer money out of the victims' accounts.
In order to address all these threats, Fey said, the industry needs to rethink security from the ground up, designing more secure products from the start instead of just constantly chasing threats.
"We have to take some of the most complex security issues and simplify them into easy-to-solve problems," he said.