Mobile Banking Trojans Increase 400% in 2015 Q3


trojan-virus-crosswordWe love our mobile devices and it’s hard to imagine not having them nearby sometimes.  The cybercriminals know this too. That is why they develop mobile malware to steal money. According to Kaspersky Labs’ Threat Evolution Report for the third quarter of the year, mobile malware is on the rise, particularly in countries where mobile banking is gaining popularity.

The report stated that in Q3, over 1.6 million malicious mobile installation packages were found to be in circulation and 2,500 of those were mobile banker Trojans. This is four times what was found in Q2 of this year and is the fastest growing category of mobile threats found in the wild (this means that it is active out in the general public in day-to-day situations, as opposed to in a controlled laboratory environment). In addition, there were over 5.5 million registered notifications regarding attempted malware infections. These were specifically geared toward stealing money from customers who use online banking.

This is why it is important that all consumers are aware of the dangers and learn to practice safe mobile security at all times. Knowledge is truly power and it will dramatically lower your chances of being a victim of cybercrime.

Here are a few basic things to remember when using your device:

  • Don’t click on links or open attachments in email unless you are certain they are safe. This is how malware is mainly delivered, so it is largely in your control to stay malware free.
  • Make sure anti-malware is installed on your mobile devices, regardless of the OS being used. Keep it updated.
  • Update or patch all software when notified. In most cases, updates sent by major software companies are fixes to vulnerabilities that will keep you safe from malware targeting the very same software issues.
  • Avoid using unsecured public Wi-Fi. Often hackers will sit in wait and hijack connections to steal login credentials.
  • Be aware even when using password-protected public Wi-Fi, such as in cafes and coffee shops. These can also be risky. Therefore avoid performing financial transactions on these connections.
  • If necessary to log in to a secured connection when in public, your work network for example, use a VPN from your mobile device. Alternatively use your device’s data network connection. There are still risks, but they are lower.
  • Make sure the password to your internet connection access point, and all network devices such as routers and switches, are changed from the default that comes on them when they are first installed. Make them strong passwords and change them regularly.
  • Keep anti-malware software updated on all devices in your home network that can have it. Remember that when you are at home, all of your internet connected devices (TV, thermostat, refrigerator, music system, etc.) are likely connected to each other also (unless you specifically separate them). Anything that penetrates your desktop can also get to your mobile devices no matter where you are in the house.

Malware is not going away any time soon. New varieties increased nearly 11% in the last quarter and the number of unique malicious URLs found in that three month period was nearly 75.5 million, according to the same report. Mobile devices are great tools, but the numbers show they will continue to be targeted. It’s up to us to learn what we need to do to keep our information safe when using them. Isn’t that better than not using them at all?

© Copyright 2015 Stickley on Security

The Steps of Spearphishing and the Value of Stolen Data

Spear Fisherman With Speargun near coral bottom

In a survey conducted by the Identity Theft Resource Center (ITRC) of identity theft victims in 2014, only 16.4% of respondents completely trust their health insurance provider to use personal information they provide in a responsible manner. Most people only moderately trust them (29.7%).  Possibly, they have good reason.

There have been several data breaches involving health insurance companies over the past year including Excellus, Anthem, and Premera. These three breaches have affected approximately 100 million people so far. Another 18 million who were not customers may also have been affected by these. Tack on another 14 million if you add the UCLA Health System breach of this past summer.

Information has started to rise up as to how the breaches of at least two of these (Anthem and Premera) happened. Both lead to phishing and more precisely spearphishing. The latter is a type of phishing where employees or those “in the know” about a particular company or industry are specifically targeted by cybercriminals. Spearphishing may be more time consuming due to needed research, but it usually will result in a more lucrative payload.

If you know the steps of a spearphishing scam, you are much more likely to not make your information readily available to the hackers and hopefully implement some internal policies to better identify legitimate internal emails containing links or attachments.

Step 1 – Criminals research a company’s organizational structure. With all the information available on social media, a quick search on LinkedIn or Google will produce most of the data very quickly.

Step 2 – Once a criminal has the company structure, they now need to know what the executive’s email looks like. Criminals set up a Gmail or Yahoo account and send a nice email over to the executive. All the criminal is trying to accomplish is to get a reply email to be able to replicate the look and feel.

Step 3 – Now that the criminal has the company structure and can mimic the executive’s email, they send out emails to people in their direct food chain with a malicious link or attachment. Because the victims believe this is an urgent matter from their “boss”, they are normally anxious to fulfill the request very quickly.

Step 4 – When the link is clicked or attachment opened, the malware is delivered to the company network. Once on the network, it will connect with the criminal’s server and wait for instructions.

The hacker will target your company’s sensitive data to steal and sell it on the Dark Web. This is a multi-billion dollar industry and all trends point to this as one of the fastest growing and most lucrative crimes in the world.

Each data record stolen has a price tag and that price is driven by how it can be used and the current supply and demand. Credit card numbers used to be the main target, but there is a glut of them and it is pretty simple to get a new card and end the usefulness of the stolen number. Social Security numbers and health care records are much bigger scores. A SSN stays with a person for life. Even if a person can prove to the US Government that their life has been ruined due to identify theft, the new number the victim is given ties directly to the old compromised number. Therefore the new number is of no help at all.

Data Price List (this is estimated):

  • Financial Institution Account Record: $80 (usually contains SSN)
  • Heath Care Record: $80 (usually contains SSN)
  • Social Security Number: $40
  • Credit Card Number: $7
  • User Name & Password to any Website: $2

In the case of health insurance companies, it is the identity theft motherlode. Health insurance companies store social security numbers, payment details, health histories, information on family members, and other data that is extremely valuable to cyber thieves.

More importantly, think about your company and what data is worth stealing. And then ask yourself if your company could survive if that data was stolen. Making a few changes in the process and taking an extra few seconds to ensure the link or attachment is legitimate may be all you need to prevent an attack.

© Copyright 2015 Stickley on Security

Tips to Help Protect Your Personal Identifiable Information (PII)

Secured Online Cloud Computing Concept with Business Man protecting data

It is well-known that Google gathers data for a variety of purposes. However, Apple has a different policy. It actually prohibits the collection of personal information from users of its products. Recently it removed a software development kit (SDK) made by a Chinese company because it violated that policy.

Information gathered by the Chinese company, Guanghou Youmi Mobile Technology, which provides mobile advertising services, includes email addresses and unique identification codes that are stored on iOS devices.

While it may seem insignificant that email addresses were gathered, it is underestimated what value an email address does have in the cyber world. It is used by advertisers for marketing products, by scammers to attempt to get people to send money for nothing, and to phish for login credentials to online banking and shopping accounts. It is also still the number one way malware gets spread. In many cases, an email address is also used as a login ID for various accounts. So protecting it is increasingly more important.

Following are a few ways to avoid having your email used for purposes you do not intend and to cut back on unwanted email:

  • Report spam to your email service or internet service provider (ISP) if they offer that option. Sometimes your email providers or ISPs offer an option to report spam to them. The address from which the messages are sent gets put on a black list. Some also will offer to attempt to remove your address on your behalf.
  • Avoid unsubscribing from email lists when you know you never did subscribe in the first place. Often the unsubscribe feature just confirms to the spammers that your address is legit. Just filter it right into the spam mailbox and report it to your email service provider.
  • Consider creating a separate email to use as a “junk” account. This does not mean it isn’t a legitimate account, but use it for things like signing up for online catalogs, taking surveys, or for entering sweepstakes; even when writing it at the shopping centers to win a trip to Hawaii. Often, if not most of the time, the email addresses collected for such things are sold to other companies that use it to spam you.  You can always change your email address to your regular one later.
  • Always give your financial institutions and other important organizations your legitimate and often-checked email addresses.  They will send important information regarding your accounts and will not spam you.
  • If you discover that your email address was used to send spam or other unwanted messages, change your password right away as a precautionary measure. Then alert your friends, acquaintances, and others whose addresses may have been stored in your address book that your email address has been used to send spam. When scammers get into email accounts, they will often spam everyone in the address book.

Apple suspects the developers in this case are not at fault because it is likely they did not know the SDK was doing this. However, Apple removed an unknown number of apps using this SDK and will not accept any more into the App store until further notice.


© Copyright 2015 Stickley on Security

Unsecured Security Cameras Turned Into Botnets

Two big exterior security cameras pointed away from each other

When you take a moment to count the number of internet connected devices in your home, the tally may surprise you. There are smart TVs, routers, computers, tablets, smartphones, smart thermostats and refrigerators, security systems, and even toilets that can be flushed from afar. All of those devices are a potential access point for cybercrimals. Recently the security company Incapsula found somewhere around 900 Linux-based closed circuit television (CCTV) cameras had been turned into a botnet.

A botnet is a group of computers that have been taken over without owner permission and controlled as a group to do various types of activities; usually with a malicious intent. According to Kaspersky Labs and Symantec, these pose the biggest threat to the Internet, out-doing spam, viruses, and worms.

While security devices are intended to make us feel more secure, and other internet-connected devices make our lives a little more convenient, there are risks associated with using them.

As with all home networking devices, they must be installed correctly:

  • The first step is to change the default logins and passwords that come with them. In this case, that is exactly how the incident happened. The default login credentials had not been changed.
  • Once they are installed and are internet-capable, the updates to the software and firmware that run them should be downloaded and installed. Often, they sit on shelves for a long time and updates have been released in the meantime. You want those latest ones applied.
  • If your devices have a feature that will allow them to apply updates automatically, switch that to the “on” position. If not, mark a date every quarter or even more frequently, to check for updates. If there are any, apply them right away.
  • Don’t forget to choose strong passwords and use a different one for each device. Make sure they have at least eight characters, are not common words, nor do they contain private details about you or your loved ones. Also include one or more special characters and combine upper and lower case letters. Don’t forget to add in a number or a few.
  • If you are going to have someone else install devices for you, make sure they are qualified to do it securely and are experienced. As soon as they leave, change the passwords.

Incapsula reported that the security cameras had been used to perform a “run of the mill” type of denial of service (DOS) attack using cameras from several different brands that all had less-than-adequate security features out of the box. In some cases, the devices had been compromised by multiple people.

All the compromised devices were running BusyBox and included a variant of the malware commonly known as Lightaidra or GayFgt. This scans the device for BusyBox software and open Telnet/SSH services.

Just because technology makes our lives more convenient, we shouldn’t make it more convenient for cybercriminals to cause trouble. Take a few minutes and secure them.

© Copyright 2015 Stickley on Security

FBI Issues Warning About Increase in Business Email Compromise Scams

corporate fraud phrase made from metallic letterpress type inside of shredded paper heap

Cyber fraud takes many shapes and sizes. The latest trend taking center stage involves email scams and companies of all magnitude. Large, small, or somewhere in between, businesses around the world are feeling the heat from email cybercrooks. The FBI reports over $1.2 billion in damage of this type, also called masquerading schemes or business email compromise attacks, within the past two years and has issued an alert to businesses to watch out for it. This is forcing many companies to take a second look at their situations.

As with many cyber scams, some businesses are not reporting the crime. However, according to the numbers that are provided, these are indeed rising. More and more companies realize they’ve been duped and are wondering how they can keep it from happening again.

The short answer is to educate employees who perform financial transactions and make sure a process is in place to verify all wire transfers or anything that involves sensitive business data. Just having the process in place is not enough, however. It also needs to be enforced.

Typically, these scams begin when an email is sent to a company controller or other financial officers, appearing legitimate and asking for money to be transferred to an account somewhere. This could be for payment to a vendor or for some other authentic-sounding reason. These emails often have an urgent nature. Validating them often goes by the wayside in an attempt to take care of the “pressing matter” at hand. Many of these transactions involve overseas banks in China and new accounts, adding to the anxiety of a speedy settlement.

Because there is not yet much regulation for controlling this internationally, experts worldwide are suggesting ways to combat these socially engineered transactions:

  • Involve your financial institution. Even if you feel it’s too late and the damage has been done, call the customer service number and let them know what happened.
  • At any point during a transaction where you are asked to make a financial transaction or provide sensitive data, should you begin to have the slightest doubt about the “vendor” authenticity, contact your financial institution. Making them aware of your situation not only protects you in the future, but also helps others facing the same scams.
  • Verify the requestor and the request with urgency. Follow a process for confirming such transactions are indeed intended. Use the intensity cybercrooks use to fool you and turn it around. Even though cyber thieves do everything to convince you they’re legitimate, time spent verifying their identity can make a huge difference to the bottom line. Unfortunately, victims of email scams find after the fact that there was plenty of time to be vigilant.
  • Implement a purchase order model for transferring money around and require a reference number or code for each one. Audit the transfers daily.
  • Make sure there are multiple approvals for large dollar amounts and that there are separation of duties.
  • Train employees to identify fake email addresses and teach them never to open links or attachments in email messages without verifying their legitimacy.
  • Before you act, react. Suspicion can be put to rest by adding layers to your vendor approval process. Something as simple as asking for a photo of the requestor’s driver’s license can make cybercrooks think twice about making you a target.

This scam has been reported in all 50 states and in 79 countries and affecting nearly 10,000 businesses worldwide.


© Copyright 2015 Stickley on Security

Tips to Reduce Robo Calls and Texts

Illustration depicting a phone with a cold caller concept.

Annoying sales calls have now morphed into bothersome texts as well. Technology provides us with options for getting in touch with those we want to communicate with. However, on the flip side, pesky sales callers now have additional ways to find you besides the phone. Texts are becoming a more common way for scammers to find you. Just remember that if they can find you, they can scam you.

The Federal Trade Commission (FTC) is only too aware these problems exist. As a result, it created a Do Not Call Registry, providing consumers with an option for reducing those unwanted calls. There are currently over 217 million phone numbers on this list, and that number is likely to grow. Robocalls (calls made using recorded messages) are highly prevalent, allowing unscrupulous sales and scam contacts to be done on a massive scale.

Here are a couple of ways you can effectively stop or seriously hinder sales calls and texts:

Add your number to the Do Not Call list. Contact the FTC at 1-888-382-1222 or at the Do Not Call website. After your phone number is added, it takes just over 30 days for the calls to start dwindling.

Report unwanted texts to your cell phone service provider, and to the FTC. You can call them at 1-888-382-1222 or find a complaint form on the website.

Whether you receive annoying calls, texts or both, there are common sense efforts for keeping them to a minimum. Never follow prompts or text links from people or groups you don’t know. Following the prompt trail inevitably gets you deeper into more contact efforts from other unwanted sales attempts and it could result in malware being installed on your mobile device. If you’re tempted by hearing you won a prize of any type, chances are it’s just bait from scammers.

The good news is there are some ways to fight back. Although not always 100% sales and scam-proof, they can put a serious dent into how many of these calls and texts you receive. For better or worse, calls not subject to abiding by the list are political calls, calls from charities, or from companies you gave your information to at some point. So, no matter how many times you hang up on a political activist, there is really no escape other than not answering in the first place.

© Copyright 2015 Stickley on Security