Three rising cybercrime
Just when you think you've safeguarded
yourself from electronic security risks, along comes a new exploit to keep you up
at night John Brandon explains three up and coming threats, and how to beat
While smartphone viruses are still
relatively rare, text-message attacks are becoming more common, according to
Rodney Joffe, senior vice-president and senior technologist at mobile messaging
company Neustar and director of the Conficker Working Group, a coalition of
security researchers that came together to fight the malware known as
Conficker. PCs tend to be well protected today, he said, so some black-hat
hackers are now targeting mobile devices. Their incentive is mostly financial:
text messaging provides a way to break into devices and make money.
Khoi Nguyen, group product manager for
mobile security at Symantec, confirmed that text-message attacks aimed at
smartphone OSes are commonplace now that people are increasingly reliant on
mobile devices. It’s not just consumers who are at risk, he added. Any employee
who fails for an SMS ruse using a company smartphone can jeopardise the
business’s network and data.
Social network spoofing
Users of Facebook, Linkedin and other
social networks are vulnerable to attacks that rely on account spoofing. A
scammer poses as someone you know or a friend of a friend in order to fool you into
revealing personal information. He then uses that information to gain access to
your other accounts and eventually steal your identity.
In a typical exploit, someone contacts
you on a social network pretending to be a friend of a friend or a co-worker of
someone you trust. This new 'friend' then contacts you through text message or
email. The correspondence seems legitimate because you believe he has a
connection with someone you trust. In another scenario, a scammer might
impersonate someone you already know - claiming to be an old school friend, for
example. Spoofers can find out your connections by following your public feeds
or looking up the names of co-workers on sites such as Linkedin, where you've
posted your work information.
An emerging criminal tactic, which
sees hackers interfering with GPS signal, has security experts divided on just
how harmful it could become.
Jamming a GPS signal at the source is
next to impossible, said Phil Lieberman, founder of enterprise security vendor
Lieberman Software. Blocking the radio signals that are broadcast from orbiting
GPS satellites would require a massive counter transmission. And because the
satellites are operated by the US military jamming them would be considered an
act of war and a federal crime.
However, it’s easy to jam GPS
receivers using low-cost jamming devices such as one sold by Brando. This jams
a receiver by overloading it with a signal that’s similar to the real GPS
signal. The receiver then becomes confused because it can’t find a steady
Lieberman doesn’t give much credence
to fears about jammers disrupting aero planes or air-traffic-control systems.
…and how to beat them
"This is a similar type of attack
as is used on a computer - an SMS or MMS message includes an attachment,
disguised as a funny or sexy picture, and asks the user to open it,"
Nguyen explained. "Once they download the picture. It will install malware
on the device. When this malware has loaded it will acquire access privileges,
and it then spreads through contacts on the phone, which each get a message
with the malicious attachment from that user."
In this way, said Joffe, hackers
create botnets for sending text-message spam with links to a product the hacker
is selling, usually charging you per message. In some cases, the malware even
starts buying ringtones that are charged to your phone bill, lining the pockets
of the hacker selling the ringtones.
Mobile operators try their best to
stave off the attacks. For instance, US network Verizon's spokeswoman Brenda
Raney said the company scans for known malware attacks, isolates them on the
mobile network, and even works with federal crime units to block them.
To keep such malware off phones, Joffe
recommends that businesses Institute strict policies limiting that employees
can text using company networks and phones, and what kind of work can be done
via text messaging. Another option is a policy that prohibits text messaging
entirely, at least until the Industry figures out how to deal with the threats.
Once the scammer has established a
connection with you, he uses devious means to steal personal data, such as
chatting online to find out the names of your family members, favorite bands,
hobbies and other seemingly innocuous information. Then he uses that
information to try to guess your passwords.
Justin Morehouse, a principal
consultant at Stratum Security, describes another type of attack that targets
companies. The spoofer might set up a Facebook page that claims to be a
company's official fan page, suggesting members should use it to contact the
The page might offer fake coupons to
entice people to join, and it soon goes viral as people share it with their
friends. Once hundreds of users have joined the page, the owner tricks them into
giving out personal Information, perhaps by signing up for additional coupons
or special offers.
Consumers are harmed because their
personal data is compromised, and the company Is harmed because Its customers
now associate the fake Facebook page with the real company - and decide not to
buy from that company again. There's no way to prevent a criminal from setting
up a fake Facebook page, but companies can use monitoring tools such as
SocialMentlon.com to see how their name is being used online. If an
unauthorized Facebook page is turned up, the company can ask the social network
to remove the fake listing.
Because those networks use a different
GPS signal from the one we use in cars and handheld devices. Jamming could,
however, be a potentially dangerous issue when it comes to financial records
because GPS devices are used in the banking industry to add timestamps to
financial transactions, although completely blocking transactions would be
difficult, he said, an industrious hacker could theoretically disrupt
transactions and cause headaches for banks.
Security expert Roger Johnston, a
systems engineer at the Argonne National Laboratory in Chicago, said spoofing
GPS signals is the greater danger. GPS receivers are low-power devices that
latch on to any strong signal, he explained.
Spoofing could be used for serious
crimes - tricking a delivery truck driver into turning down a dark alley,
changing the timestamps on financial transactions, delaying emergency vehicles
from finding their routes, and so on. There have been no reported cases of GPS
spoofing to commit a criminal act, but Johnston warned that the government and
businesses must work to deter such attacks.
Taking some extra precautions - using
strong encryption technology, engaging only with trusted friends on social
networks, and using penetration testing software on corporate networks - can
alleviate some fears and help you sleep at night, even If the bad guys keep
coming up with new exploits.