Emails are considerable as a primary vector for cyber-attacks against mobile devices, principal security firms revealed that phishing activities in the last few years have increased exponentially, targeting every sector from industry to government agencies. RSA’s October Online Fraud Report 2012 described an impressive increase in phishing attacks, up 19% over the second half of 2011. The total loss for various organizations sums up to $2.1 billion over the last 18 months; these are extraordinary figures that give an idea of the amplitude of phenomena.

2013 has started with an apparent reversal of the trend that is actually symptomatic of a dangerous phenomenon, to an apparent slowing of phishing activities on desktop PCs is paid with an increase of offensives that are targeting mobile platforms.

An increasing number of web sites are expressly designed to circumvent mobile users, targeting e-banking and e-commerce services, Trend Micro security firm observed that in 2012, 75% of mobile phishing URLs were rogue versions of popular financial and banking sites, meanwhile only a small percentages (4%) were related to sites try to trick online shoppers and social network users (2%).

Services hit by Mobile Phishing:

The methods of attacks are unchanged in respect to normal phishing. Users are misled and hijacked on spoofed versions of legitimate sites to trick them into disclosing sensitive information such as banking credentials, account details and other personal information that could be used in successive APT attacks. Further information regarding mobile security threats can be found in the mobile forensics course offered by the InfoSec Institute. Most targeted users are PayPal customers followed by other financial institutions clients such as Absa Internet Banking, Barclays and Wells Fargo.

Mobile Phishing Sites (Trend Micro):

The year 2013 presents itself full of challenges in mobile security, Android users will have to face a growing number of cyber threats of increasing complexity. The principal cyber threats will be originated by cyber-crooks wanting to steal sensitive information and intellectual property, but also cyber-espionage activities of governments and private actors have to be considered.

Among the main threats that will grow exponentially there are malware for scam purpose and phishing activities.

Keep update installed apps, do not download software from third part app stores, avoid jailbreaking operations and of course, avoid clicking on links contained in unsolicited emails.

For many years now, we have been trained to look for the SSL icon on our browsers, and have told our family and friends to do the same. It’s a basic security measure that ensures our traffic cannot be intercepted and spied on. The last thing we want when doing online banking, reading our email or shopping online is having someone sitting there and watching our every move, storing our email contacts, credit card information, and so on. On desktops and laptops, this problem has been solved a long time ago, and through constant education of the public, we’re at a point where most people know what the little yellow lock icon means next to the URL bar, or to at least look for HTTPS instead of just HTTP in the web address.

When it comes to mobiles however, things are different. In a mobile browser environment, the lock icon can still be seen, and most mobile browsers do a good job in making sure we are aware whether our communications are secure. But what happens in the case of applications? Most of the time, apps do not have a lock icon or a URL displayed for the user to see. Yet we use apps for all kinds of critical processes like banking, communication, shopping and more. On top of that, our smartphones have a lot more information about us, since they have access to our contact list, our calendar, GPS location, etc… How can we know whether the apps we use are using encrypted connections back to their servers? It can be dangerous enough for a single user, but in the case of a business, with threats of corporate espionage and the personal information of clients potentially in your care, things can escalate quickly.

Right now, most people who use a smartphone have no way to find out whether or not the apps they use are secure, and they have to trust the developer when they claim that their apps are safe. Unfortunately, this turns out to not always be the case. In order to find out whether or not any particular app is using SSL connections, it can be useful to know the security models that are available to those developers, and then some tools that can be used in order to monitor the apps and know the real answer. Last October, a team at Leibniz University in Hannover went deep into the Android core to find out how SSL gets implemented, and how easy it is for app developers to make sure their apps are secure, leading them to publish a report on the subject.

The team analyzed Android apps because the Google platform is the fastest growing smartphone platform in the world. In addition, in their end of year security bulletin, Kaspersky said that they noticed the vast majority of mobile threats out there are going after the Android platform. Some of the results researchers found were fairly interesting. First, there is no way for a normal user to know what type of security a specific app provides. The permissions dialog shown to a user when installing an Android app is fairly useless, since a lot of apps go overboard with the permissions they ask for. Nearly every type of app will ask to be able to communicate over the network, and that says nothing about what is actually sent, and whether it is done in a secure way.

From examining app behavior and doing static code analysis, they found a total of 1,074 apps, or 8%, which used SSL code that allowed all hostnames or all certificates when connecting, which means they are potentially vulnerable to man in the middle (MitM) attacks. During further analysis, 41% of these apps did in fact end up being vulnerable to various types of MitM attacks. This means that tens of millions of current Android users are using applications that are vulnerable due to bad SSL implementations. The team managed to get credentials for bank accounts, PayPal accounts, credit cards, Twitter, Facebook, Google and so on. They even managed to inject virus signatures into an antivirus app and disable it completely.

Some of the biggest errors that app developers made were to configure the TrustManager interface to trust all certificates, forget to check hostnames when establishing a secure connection, and using mixed modes where both encrypted and unencrypted data are displayed on a single page. Also, it’s worth noting that Android 4.0 trusts 134 root Certificate Authorities (CA), which is quite a lot.

So how can you figure out whether the apps you use are safe? After all, as a smartphone user, you may not care much how the app developer went about to implement his or her networking code, but whether or not the app is safe. The way the team in Germany did it was by doing static code analysis using a custom plugin for Androguard, a tool made for the analysis of Android applications. By scanning the code itself, they could see how the apps interacted with the underlying APIs, and how the network code worked. This way, they could see where the errors were, and why something might not be secure.

If you can’t do this type of deep analysis, there are many other ways you can get a good idea of whether or not the apps you use are safe. One place you can look at is ZAP, the Zscaler Application Profiler, which gives you a web based interface to scan Android and iOS apps. There, you can search for past results, scan apps by using their scanning proxy, or upload apps to the site. The result gives you information on whether the authentication is secure, if there is any data leak, and whether there is exposed content from analytics or ad networks.

You could also make your own proxy and use an app like ProxyDroid, which can force other apps to use SSL, or simply use a VPN in order to remove any risk that a MitM attack on your local network will get anything out of your apps, if you happen to be in a hotel or some other insecure wi-fi situation. By routing all of your phone traffic through your own network, you can also use a scanner like Wireshark to capture all the packets going by, and then physically look at the data to see whether it’s gibberish, as it should be, or if you can see some leakage. This will not tell you whether some bug in the code could allow a more active attack, but at least a passive listening of the wire won’t expose your data.

Of course, in the end, the burden falls on app developers to implement their applications in a secure manner. If you are making apps, perhaps for your business or even the wider world, then you need to make sure that if you implement SSL, you do it in the correct way. InfoSec Institute offers a web application security course and Android has a comprehensive guide talking about these topics. For iOS, the SANS Institute published a detailed coding tutorial on how to correctly implement secure connections and deal with potential MitM attacks.

Meanwhile, research is being done in other directions as well. Last month, Fujitsu revealed that they are working on an HTML5 based system that would allow workers to have access to corporate data based on whether or not they are in a secure environment. This system would use an app on the employee-owned phone that would detect if the worker is in range of an allowed wi-fi network, or when the worker taps a corporate NFC card to their phone. The company said this system would be released later this year, and everyone is looking forward to trying it out.

About the Author: Patrick Lambert is a security researcher for InfoSec Institute, an IT security training company.

Some of the messages may look like this:

• Hey someone is spreading nasty rumors about you: <link added>

• LOL! I’m laughing so hard at this pic of you:  <link added>
• Did you see this funny tweet about you? <link added>
• Watches on Sale! $99 <link added>
• Lose weight fast! <link added>

If your Twitter account has been compromised, follow these five steps to regain control and prevent future hacking.

Step 1: Change your password immediately

If, or when (as it’s only a matter of time), your Twitter account is hacked, the very first thing you need to do is change your password; that is, if you still have control over your account. Use a different computer or a different browser to log into Twitter. It’s possible malware has been installed somewhere on that device, which led to the compromise of your account.

It goes without saying that you should use a strong password that’s difficult to guess and that’s unique to this particular account and not used elsewhere. Remember to change your password regularly. If you are unable to log into your account because the hacker changed your password, use the password reset form found at twitter.com/account/resend_password. If that doesn’t work, contact Twitter Support.

Step 2: Revoke access from third-party applications & reset those passwords also

Check all of the applications that might be using Twitter for authorization. To be safe, and to isolate the problem, you should temporarily revoke this privilege from all of them. You can add them back, after waiting a few days to ensure the spamming has stopped. Add one application back at a time and wait a few days between adding another one. If an application was the cause of your Twitter problems, adding the applications back one at a time will help you determine which one, if any, was compromised.

Step 3: Begin damage control with an apology

Apologize to your Twitter followers or anyone who might have been affected. Send a few apologetic direct messages to the people that received malicious DMs. Keep your apology simple like: “Apologies for any inappropriate tweets from this account. I’m taking precautions to ensure my account doesn’t get hacked again.”

Step 4: Delete all the tweets and DMs that were maliciously posted

Delete the spammy tweets and DMs, especially if you use your Twitter account for professional purposes.

Step 5: Check your computer

Scan your computer for worms, malware, viruses and spyware to ensure that nothing else has been infected. Be sure that your anti-virus software is up to date and that security updates have been installed for your operating system and applications.

Finally, it’s worth asking yourself how your Twitter account might have been compromised in the first place. Were you using a weak password? Did you unwittingly click on a malicious link? Did you unknowingly visit a fake website loaded with drive-by malware? Or was your password exposed during a breach?

We need to understand, recognize and avoid the risks associated with social sharing sites and learn how to use them safely. Take a few minutes to read Twitter’s security tips.  And watch these short videos on our YouTube channel to learn more about how to keep yourself safe in today’s digital age.

Two years ago, there were nearly 3 million unique forms of malicious code, and thousands of new ones are discovered daily. The risk of being infected is greater than ever because every single possible data communication method can be used to transmit malware. And we know this is true because we so often see it in the news.

But what exactly is malware? Malware = MALicious softWARE.

Hackers use this software to disrupt computer operations, gather sensitive information, or gain unauthorized access to a computer system. Malware can also appear in the form of a script or code. The term ‘Malware’ is used to describe a variety of forms of hostile, intrusive, or annoying software or code.

You’ve probably heard of the terms “virus” and “worm”. Although they do different things and cause different types of problems, they are both a kind of malware. Another kind of malware is the Trojan horse.  Let’s take a closer look at these three.

Computer virus

• A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. While some are harmless or mere hoaxes, most computer viruses are considered malicious.

Worms

• Like a virus, a worm is also a self-replicating program. A worm differs from a virus in that it propagates through computer networks without user intervention. Unlike a virus, it does not need to attach itself to an existing program. Many people confuse the terms “virus” and “worm”, using them both to describe any self-propagating program.

Trojan horses

• A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A Trojan horse can be used to set up a back door in a computer system so that the intruder can gain access.

What damage can malware do?

In the early days of the Internet, viruses were written as experiments or pranks. In some cases, the perpetrator did not realize how much harm his or her creations would do.

Today, malware is used primarily to steal sensitive personal, financial, or business information like social security numbers and credit card account information. The stolen information is then sold to other cybercriminals for a profit. The damage caused can range from a minor annoyance to a catastrophic disaster.

How can you get infected?

Unfortunately, there is no particular way to identify that your computer has been infected with malware. Anti-virus software might alert you that it has found a virus, but other forms of malware may go undetected.

Here are some of the ways you can get infected:

1. Email Attachments – before opening, ensure that attachments you receive are legitimate
2. Portable Media – any device that can store information can support malicious content
3. Visiting Malicious Websites – any  legitimate website can be the victim of an attack, which in turn could leave you at risk
4. Downloading Files from Websites – including generic files, software, plug-ins, movies, audio files, as well as mobile code such as ActiveX, JavaScript, Flash etc
5. Participating in P2P File Sharing Services – peer-to-peer file sharing systems, especially when used to access illegal or infringing content
6. Instant Messaging Clients – especially if unpatched, they allow hackers to upload or download files through holes in the client software.
7. New Devices and Peripherals – although it’s rare, mobile phones, digital photo frames, etc can be compromised during manufacturing if the manufacturer’s system is infected.
8. Social Networking Sites – offer several situations that could put you at risk of infection
9. Social Engineering Attacks – that trick users into either giving up information or unwittingly performing tasks that result in a security breach
10. Not Following  Security Guidelines and Policies – bypassing filters, using unauthorized outside storage devices, blocking software updates, using non-approve software clients, etc, increase the chance of becoming infected by malicious code

How to avoid becoming infected

The old wisdom rings true: an ounce of prevention is worth a pound of cure.

1. Keep software up to date so that attackers can’t take advantage of known problems or vulnerabilities.
2. Use and maintain anti-virus software and malware software.
3. Use and maintain anti-spyware tools.
4. Install a firewall to shield your computer or network from malicious or unnecessary Internet traffic.
5. Add location-aware client firewall software on mobile devices including laptops to enforce tighter security when connected to any non-trusted network, such as a free Wi-Fi hotspot.
6. Evaluate your security settings in your software, browsers, email programs and online accounts.
7. Use strong passwords & change them periodically.
8. Disconnect your computer from the Internet when you aren’t using it.
9. Maintain backups of your files on CDs or DVDs so that you have saved copies in case you get infected.
10. Follow good security practices and take appropriate precautions when using email and web browsers to reduce the risk that your actions will trigger an infection.

Bank News Media has recognized our Customer Security Awareness Program, as well as our InfoSight-U Training Portal for success in education!

InfoSight has created a Customer Security Awareness Program specifically for financial institutions and their customers. The Program enables financial institutions to quickly and easily train their consumer and commercial banking customers, while ensuring compliance with the portion of the new 2012 multi-factor authentication guidance.

InfoSight’s Program meets the requirements of the new mandate by:

• Providing Security Awareness source content for website educational information, statement stuffers, social media campaigns, etc…
• Commercial client security seminars and/or webinars.
• Website tracking of customers reporting.
• Providing an annual Progress Report that will evaluate your program’s effectiveness.
• Providing customer’s security and risk controls tools and or toolkits.
• And much, much more.

There are many benefits to dedicating more resources to education:

• Create cross-sales and onboarding of new opportunities.
• Reduce your financial institutions liability and risk of litigation.
• Integrate with employee security awareness initiatives.
• Build confidence in your customers that your financial institution electronically is safe.

You need a strategic partner to help you create, implement and manage a robust Customer Awareness Program. Contact InfoSight today to learn how we can help you!

Holiday Shopping Security Tips

Cyber Monday is the day when all employers cringe. They know that many employees will spend a portion of their work hours making online holiday purchases instead of working.

For employees who spend time making purchases either at lunch, break time, or at the end of the work day, here are some tips to stay safe on the largest online activity day of the year.

[1] Make sure your desktop computer, laptop, smartphone, or mobile device has some form of anti-virus protection.

[2] If you use your laptop or mobile device at a coffee shop or other location with free Wi-Fi, don’t use your credit card online until you are home or away from the free Wi-Fi.

[3] If you enter your credit card or other personal information online, make sure that the website in the browser starts with HTTPS and not just HTTP because the HTTPS encrypts the information you enter (credit card details, etc.)

[4] Do your research before you buy. Check out reputable sites such as Amazon.com to make sure you’re paying a legitimate price for your item. Also, don’t make any purchases from a site that doesn’t have a privacy policy – there should be an explanation as to how the site uses your personal information.

[5] If you use review sites such as Yelp, Angie’s List, etc., take the comments with a grain of salt – they may not be accurate.

[6] While apps may ask for access to your personal information, you can click “no.”

[7] Make sure to “disable” the GPS location-sharing function on your phone and mobile devices. There may be times when you don’t want your location included with your online activities.

[8] There will be many emails in your email box during the holiday season, so be careful when you click on what looks like an email confirmation for your purchases, when in fact, the email could contain a virus once you click “open.”

[9] Some sites request a password. Use a different password than what you use for your regular sites.

[10] Log off from a site once you complete your transaction.

Lastly, if you’re on the road on Cyber Monday and decide to use your laptop or mobile device while waiting for your plane, don’t use airport Wi-Fi. Hackers are setting up bogus access points to steal your info.

Do you have a favorite safety tip for Cyber Monday? Chime in and share.

Cross-posted from Tips4Tech

Two Decades of Malware