Mobile devices: A gold mine for cyber criminals' exploitation

[Some links may no longer be available. —Ed.]

This case is fictional, but it's representative of a new wave of identity theft with the proliferation of mobile devices such as smartphones, tablet PCs and e-readers that consumers, businesses and government agencies have adopted to transact business, including mobile banking. Cyber criminals go where the money is, and they've reacted quickly to exploit the spread of the mobile banking arena as a profit center. The mobility of laptops led to an exploitation of personal data through loss and theft, but the movement to smaller portable devices represents a much larger opportunity for cyber criminals to exploit data.

melhi/iStockphoto

MOBILE DEVICE EXPLOITATION

How do cyber criminals exploit mobile device activity, especially the mobile banking variety? This is how Gordon M. Snow, assistant director of the FBI's Cyber Division ("Statement Before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit," on Sept. 14, 2011), explains it:

Cyber criminals have successfully demonstrated man-in-the-middle attacks against mobile phones using a variation of ZeuS malware. The malware is installed on the phone through a link imbedded in a malicious text message, and then the user is instructed to enter their complete mobile information. Because financial institutions sometimes use text messaging to verify that online transactions are initiated by a legitimate user, the infected mobile phones forward messages to the criminal.

Cyber criminals are also taking advantage of the Twitter iPhone application by sending malicious "tweets" with links to a website containing a new banking Trojan. Once installed, the Trojan disables Windows Task Manager and notifications from Windows Security Center to avoid detection. When the victim opens their online banking account or makes a credit card purchase, PII (personal identification information) is sent to the criminal in an encrypted file.

A man-in-the-middle attack (also known as faked/spoofed websites, website spoofing and pharming) involves a cyber criminal who uses a fake website to move and monitor information between an organization — such as a bank — and a consumer. In essence, the cyber criminal is in the middle of a transaction between a consumer and an organization with neither party aware that the fraudster is illegally monitoring the transactions. The criminal, who's secretly monitoring every keystroke between the consumer and organization, compromises personal identifiable information (PII) such as account material, usernames and passwords.

Pharming, also known as spoofing and DNS poisoning, is a high-level cyber scheme for conning individuals into exposing PII such as credit/debit card info, Social Security numbers and other financial account information. Although similar in design to phishing, pharming involves more risk because a click on a link in an email message isn't necessary to initiate the scam. The scam uses malware or spyware to move the victim from a legitimate website to a fraudulent one.

ZEUS MALWARE

ZeuS malware is one of the most dangerous and commonly used Trojans that cyber criminals use worldwide to target PII mainly related to victims' financial transactions. These fraudsters use numerous versions of the ZeuS malware to steal hundreds of millions of dollars not only from consumers but from all types of entities and government agencies throughout the world. This malware is very difficult to control because new easy-to-use versions emerge continually and are sold in kits in the underground market.

The latest mobile devices have become easy targets. For example, Fahmida Y. Rashid reported in the June 12 article, "Fake Android Security App is Mobile ZeuS Malware in Disguise," on the Security Watch website that six new versions of the ZeuS banking malware called the "Android Security Suite Premium" have emerged masquerading, of all things, as security apps promoted to users to protect their mobile devices from malware. Quoting Denis Maslennikov, a Kaspersky Lab researcher, from his blog post on Secure List, Rashid wrote, "Once (the) Android Security Suite Premium is installed on the mobile device, it displays a blue shield icon on the menu and a fake ‘activation code' when executed. … The malicious app can intercept incoming text messages and forward them to remote command-and-control servers. Depending on the user, the messages could include sensitive data, such as password reset links or even one-time passwords. Any of the six C&C servers could send instructions to the app to uninstall itself, collect and transmit system information, and install other malicious applications." The cyber criminals are able to transfer money and important financial information and PII from victim's accounts.

LAWYERS ALSO TARGETED

The legal profession has recently experienced an increase in this type of cyber criminal behavior. According to a June 25 article by Jennifer Smith in The Wall Street Journal, "Lawyers Get Vigilant on Cybersecurity," "Hackers [have stepped] up attacks on law firms ... [and] few [of them] will admit to a breach. Thefts of confidential information strike at the core of the legal profession's obligation to safeguard client's secrets, and can do considerable harm to a firm's reputation."

Because of the constant flow of information with mobile devices within their firms and with clients, lawyers handle much valuable information, including merger and acquisition data useful to outsiders such as cyber criminals for insider trading activities, etc.

Smith wrote, "Lawyers, who increasingly rely on email, smartphones and other mobile devices to handle deals and other confidential matters, are being asked to encrypt messages, resist free Wi-Fi connections, which can allow hackers to eavesdrop on communications, and regard even text messages as potential security threats."

BUT THEY'RE NOT THE ONLY ONES

Of course, other entities are experiencing the same data breach problems, especially those in the financial sectors, such as banks, brokerages, hedge funds and other related companies, according to my article, "Data Breach Trends in the United States," to be published soon in the Journal of Financial Crime.

After I analyzed 2,278 data breaches reported by the Privacy Rights Clearing House from 2005 through 2010, I determined that the general business sector accounted for 39 percent of the data breaches but an amazing 71 percent of the compromised records.

Even more astounding is that the banking sector accounted for 8 percent of the data breaches but 42 percent of the total compromised records. This indicates that the cyber criminals are targeting the business community — especially the banks — very heavily as they are getting more "bang for the buck" in return on investment, such as compromised records. A number of internal and external factors, including the misuse of mobile devices, caused these data breaches. The record-breaking purchases of mobile devices is going to drive the level of data breaches to new heights.

HELP IS ON THE WAY

What can companies do to recognize this threat and help reduce the likelihood of loss of information on computers and mobile devices due to cybercriminal activity? Rashid offers the following advice:

• Be extremely wary of any official-sounding unsolicited email or text message that asks you to click on a link and log onto a website to clear up a major problem. Scare tactics are used to lure the unsuspecting into man-in-the-middle traps.
• Don't ever click on a link or open an attachment in an unsolicited email or text message. Delete the email or message. If you're concerned, call the entity or open your web browser and type in the address. If the site has changed since your last visit, be cautious. 
• Maintain current anti-virus and anti-spyware programs on your computer, and install a firewall. These precautions will reduce the likelihood that a virus will redirect you to a criminal's website. Also, look for the lock or key icon at the bottom of the browser when entering a site that purports to be secure. 
• Install a security app to protect your mobile device. It's important to install tools from recognized vendors and from reputable app markets. Don't go looking for security apps from alternate (and dodgy!) third-party sources. Check out PCMag.com reviews for Android security apps, including our editors' choice, Lookout for Android and similar tools from Kaspersky Lab, F-Secure and McAfee. 
• Also, "IT Security & Network Security News & Reviews: 10 iOS Security Apps to Protect Your iPhone, iPad from Hackers" by Rashid on Nov. 15, 2011, provides a good overview of 10 apps that provide various protections for Apple products.

Most importantly, entities need to educate their employees about cybercriminal activities on mobile devices and provide ways to protect their clients' confidential information. Most entities don't have a clue where to start because many of their employees have a difficult time just trying to use their mobile devices. Smith also writes, "Sometimes the push for cybersecurity vigilance comes from clients, including big financial institutions, which regularly conduct their own on-site security audits at law offices to make sure their secrets are protected by the latest firewalls and other digital defenses. ..." Clients are wise to conduct audits at professional service companies with which they do business because it forces the companies to be responsible for protecting confidential information.

PROPER RECYCLING AND DISPOSAL OF DIGITAL DEVICES

Criminals also can exploit PII on improperly disposed digital devices. According to a May 1 USA Today article, "Discarded digital devices can retain sensitive data" by Byron Acohido, McAfee identity theft expert Robert Siciliano randomly purchased 30 used devices off Craigslist and had them examined with simple forensics tools. He determined that half of the devices hadn't been wiped clean and included "plenty of sensitive data, ranging from bank account and Social Security numbers to work documents and court records."

These recycled devices are gold mines for cyber criminals. This security problem will increase when Microsoft rolls out its Windows 8 operating system late this year because many consumers will scrap or sell their obsolete Windows XP devices, according to the USA Today article.

Even though users may wipe hard drives, important data may be left behind. So Siciliano's advice for a used Windows-based laptop or netbook, or Android smartphone? "I would beat the thing to death." Devices such as iPads, iPhones and BlackBerries don't represent the same risk, Siciliano said.

MORE HELP FOR THE COMMUNITY

I hope you'll share this column with your family, friends and clients. We must step up our efforts to educate the public on how to safeguard their mobile devices to avoid having their sensitive information stolen, which will reduce identity theft.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns, or if you have any questions related to this column or any other identity theft questions. I don't have all the answers, but I'll do my best. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.