Based on five years of malware research analysis and taking data gained from attacks against more than 700 corporate customers from around the world, ThreatMetrix has come up with the chief malware-related issues for 2012 as recently reported in an interview by Tracy Kitten at BankInfoSecurity with Andreas Baumhof, chief technology officer, ThreatMetrix™.
No. 1: Mobile Malware
Downloadable apps for Android smart phones, for example, have already been heavily targeted. But it’s not simply open-source platforms that present a problem. Apple’s iOS is at risk because, strangely enough, it’s “too secure.” Comments Baumhof:
“If I want to install anything on the iPhone, like malware, it’s really hard. The trouble is that Apple prevents security companies from providing security for the iPhone. So if the bad guys find a vulnerability and we don’t know how to stop it, it will be a big mess.”
Although the lack of iPhone countermeasures poses major risks, no company that wants to remain competitive can afford to limit the types of mobile platforms and devices it supports. “A bank can’t really say, ‘We won’t support Android or Apple,'” notes Baumhof. “Android, for instance, has a huge user base.”
To fight the ever-growing mobile malware menace, the only option for organizations is controlling their exposure to possible security breaches. Baumhof says financial institutions must gather information about devices, customers, and members use for accessing online accounts. Further, they have to monitor customer behavior when accounts are accessed via those mobile devices in the same way they monitor behavior on other banking channels. “If the financial institution sees increased risk, [it] can restrict transactions or limit transactions. But it’s not an option, I don’t think, to limit the devices they allow consumers to use to access accounts.”
No. 2: Social Networks Spreading Trojans
Social networks are perfect for spreading Trojans and other malicious software. “Twitter, in particular, is a worry,” notes Baumhof. “We have seen a number of high-profile accounts that have been taken over, and once that happens, it’s very easy for the malware to spread.”
A Twitter account with 1 million followers is a very attractive target, indeed, because once the account is hijacked, cybercriminals can send malicious links to every follower. And followers are more likely to click the links because they trust the source. “The problem with all the social networking sites is the trust,” says Baumhof. “If we are connected with someone on LinkedIn, Twitter or Facebook, then we trust what they send us.”
Social networks have also made it a lot easier to spread drive-by Trojans or downloads. In a drive-by attack, a computer is infected simply by visiting a Website that contains malicious code. When links to infected sites are sent out via social networks, the results can be catastrophic.
Baumhof notes that in 2010, a compromised news site in The Netherlands led to hundreds of thousands of individuals being infected with the Carberp Trojan.
Search-engine poisoning might be considered a cousin of the drive-by attack. While it doesn’t depend on social networks for distribution, it takes advantage of the same types of user behavior. “It preys on the same things,” says Baumhof. “If there is a topical event that many people are searching for on Google, then the bad guys will go in and find pictures linked to that topic and infect them with malware. There was a giant sinkhole in Germany, which made worldwide news, and if you would search for it on Google and click on the image, you’d get infected fully automatically.”
The best defense against socially engineered attacks is education, which ThreatMetrix has consistently promoted. Additionally, Baumhof says that organizations have to update patches and anti-virus programs to provide added layers of security. On top of that, organizations must ensure their employees and customers are keeping their own systems up-to-date and secure.
No. 3: Man-in-the-Browser Attacks
Observes Baumhof, “The bad guys can train the Trojan for the particular institution. These sophisticated attacks don’t happen every day, but when they do happen, they are successful.” He recommends two ways to prevent the attacks.
One is for banking institutions to look at log-in information on the server side. “Authentication plays a role here. Banks need to look at the user. Was the user authenticated, and then was the device identified?”
Two is that banks must be vigilant to monitor transaction anomalies. “(If) someone tries to log in to your bank account, which is here in the U.S., but the device is overseas and pretending to be in the U.S., there are solutions that can identify those anomalies and flag them for increased risk of fraud.”
No. 4: The Hidden Risks of BYOD (Bring Your Own Device)
The trend toward permitting employees to use their personal devices for business purposes is creating new security challenges. Any device that a company does not control, but that connects to corporate databases and servers, is a security risk.
Organizations can minimize BYOD by limiting user access to corporate information. But they also have to use strong fraud detection systems to discover when databases and servers are accessed remotely, and, ultimately, retrace fraud events tied to malware. Baumhof warns, “The security problem becomes a fraud problem, because everything is so connected, and many organizations have not caught up with this trend.”