Security and Risk Online: The rising threat of mobile malware

Cath's day was like any other - until she picked up her phone. It was dead except for a spinning penguin on its screen.

Her phone was locked and trapped inside was a year's worth of irreplaceable photos, messages, appointments and contacts.

For Cath this proved devastating: "I thought I had everything saved to the SIM, but that had been completely stripped of all information, photos, contacts, and texts. The photos in particular were the hardest loss to bear."

Sending her phone to her telco proved fruitless - they were unable to fix it. It wasn't a hardware failure. The only option that made any sense was malware, malicious software that is used to disrupt devices.

Mobile malware is becoming more commonplace both in New Zealand and overseas.

Mark Gorrie, Symantec's Australasian manager, said ransomware attacks (which sees PCs smartphones and other devices encrypted and locked until a fee gets paid) has increased by 163 per cent in the last 12 months.

Our part of the world is the third-most targeted region for ransomware attacks.

According to Symantec, cyber-crime is also growing. Identity thefts happen on average every two seconds.

Cybercrime affected 668 million people from 21 countries this year. Phishing attacks and other cyber-fraud cost US$126 billion globally last year.

Phones are increasingly targeted by cyber criminals as more people use them for online shopping.

The trouble is, it can difficult to tell if a website is genuine with a mobile browser and it can be easy to click an innocent-looking link or advert that then installs malware on your phone.

Vodafone offers six tips to avoid malware.

·         Only install applications from official app stores: If you own an Android device, you can set it to only allow authorised apps to be download from the Google Play store. Apple devices only allow apps from its store.

·         Do not jailbreak/root your device as this exposes it to threats.

·         Do not use the same username/passwords across all your apps or sites.

·         Ensure your device has a  password or PIN enabled. If it has a fingerprint scanner, use it

·         Keep the operating system up to date. Doing so ensures your device gets protected against any current vulnerabilities that could be exploited by malware.

·         Install mobile a security app (it'll detect and block malware) as well as a cloud-based photo app which will back up photos so they're not lost should your phone be stolen/broken or hacked.

One option as a security app is Symantec's latest version of Norton Mobile Security.

It can protect up to five devices so it should cover an entire household's PCs, smartphones and tablets.

The app offers basic malware protection at no cost but to get more advanced protection if you pay an annual fee of $99.

The free version includes antivirus/malware/spyware detection and removal, anti-theft capabilities, web protection plus call blocking.

The paid version features App Advisor which checks out apps installed on your phone and vets apps before you install them.

Online Security: ‘No refund if you lose money to cyber fraud through your fault’

Losing money to a cyber fraud may not earn you a refund from your bank if proven that you were at fault in the transaction, a consumer forum ruled recently.

The Additional Thane District Consumer Disputes Redressal Forum last week dismissed a complaint by a Navi Mumbai couple, stating that they had not taken due care in handling their bank account.

The couple had filed the complaint against a multi-national private bank, alleging that it was responsible for fraudulent transfer of money from their account. The complaint stated that the couple was deceived by a fraudster who used the bank’s name. When they brought this to the attention of the bank, they did not receive a positive response, which constituted a deficiency in service, they claimed.

According to the complaint, the couple, who had a joint NRI account, received text messages from the bank informing them of four withdrawals from their account, which they did not make. When they tried to log in to their account to change the user ID for Internet banking, they found the password changed. The couple immediately informed the bank and asked them to disable their net banking facility and debit card. A complaint too was made with the bank and an FIR lodged with the cyber cell of the Mumbai police and the local Rabale police station. The cyber police investigated and found who the money had been transferred to, the plea stated. The bank, however, did not give a positive response to their complaint, it added.

“On perusal of the complaint, it appears that the complainant received a mail allegedly from the opposite party and he clicked on the link mentioned in the said mail and furnished details about his user id and password and other details as were asked in the email. Thereafter, the fraudster carried out fraudulent transactions,” the order states.

“It is apparent that the complainant has not been diligent in his operations related to banking and has given his user id and password to the fraudster/hacker on his own. The opposite party, the bank, always reminded its customers never to share user id and passwords of their bank accounts with anyone to prevent any unauthorised access to bank accounts,” the forum states, adding that the complainant had therefore given up protection to his bank account by giving the details to the fraudster. The forum dismissed the plea stating it was not maintainable.

Tokyo Online Security: US Leads The World In Online Fraud

Global retailers can expect 12 per cent growth in online fraudulent activity in the upcoming holiday season, compared with the same period last year — and lower ticket prices on fraudster-targeted gifts and products.

That’s the analysis which falls out of new benchmark data from ACI Worldwide.

The data, based on hundreds of millions of transactions from retailers globally, provides advice that merchants can leverage to protect against fraudulent activity this holiday season.

·         Card Not Present (CNP) global online fraud attempt rates are expected to increase 12 per cent by volume over the same peak holiday period in 2015 — with sales to increase by nearly the same rate (13 per cent) in 2016.

o   Fraud and new business growth are rising at the same rate globally.

·         S. CNP fraud attempt rates are expected to increase by 43 per cent by volume.

o   Following the US adoption of EMV chip cards, which protects card data through encryption, fraud is shifting online as fraudsters are more effectively deterred from in-store fraud.

·         The 2015 trend of lower ticket prices will continue in 2016, due to alternative shipping methods (e.g. buy online/pick-up in-store), low-priced electronics and promotions.

o   In the US, attempted fraud average ticket value (ATV), or a retailer’s average size of individual sales by credit card, is expected to decline from $239 to $219, an 8 per cent decrease.

o   Fraudsters are expected to focus on cosmetics, cordless headphones, sneakers and other lower-priced items (including ‘Gift with Purchase’ products) that can be easily resold on the black market or via auction websites

According to Mike Braatz, chief product officer, ACI Worldwide, “Fraud is increasing at a rate nearly equal to general retail growth globally — and is exponentially increasing in the US, due to a seismic shift from in-store to online activity.”

He added, “Because fraudulent activity is now considered to be an everyday occurrence, consumers and merchants must take every precaution as we head into peak holiday shopping season.”

Fraud will peak on Christmas Eve with nearly 2.5 per cent fraud, due to the popularity of gift cards and last-minute shopping via buy online-pick up in-store

“Merchants need to understand their peak days and the sales that drive those high velocity times to ensure risk strategies are effective and efficient,” said Braatz. “It’s important to prioritize real-time fraud detection without alienating the consumer experience.”

Security and Risk Online: Experts predict 2017's biggest cybersecurity threats

From internal threats to creative ransomware to the industrial Internet of Things, security experts illuminate business cybersecurity threats likely to materialize in the next year.

If 2016 was the year hacking went mainstream, 2017 will be the year hackers innovate, said Adam Meyer, chief security strategist at SurfWatch Labs. Meyer analyzes large and diverse piles of data to help companies identify emerging cyber-threat trends. "2017 will be the year of increasingly creative [hacks]," he said. In the past, cybersecurity was considered the realm of IT departments, Meyer explained, but no longer. As smart companies systematically integrate security into their systems, the culture hackers too will evolve.

"Cybercriminals follow the money trail," Meyer said, and smart companies should adopt proactive policies. Ransomware attacks grew quickly, he said, because the attacks are "cheap to operate, and many organizations are not yet applying the proper analysis and decision-making to appropriately defend against this threat."

It's equally cheap to identify internal vulnerability to hacks and to apply preventative best practices, Meyer said. But for many companies it's not as easy to understand the cybersecurity threats most likely to impact business. To help, TechRepublic spoke with a number of prominent security experts about their predictions for near-future cybersecurity trends likely to impact enterprise and small business in 2017.

Cyber-offense and cyber-defense capacities will increase - Mark Testoni, CEO at SAP's national security arm, NS2

We will see an increased rate of sharing of cyber capabilities between the commercial and government spaces. Commercial threat intelligence capabilities will be adopted more broadly by organizations and corporations... High performance computing (HPC), in conjunction with adaptive machine learning (ML) capabilities, will be an essential part of network flow processing because forensic analysis can't stop an impending attack. HPC + adaptive ML capabilities will be required to implement real-time network event forecasting based on prior network behavior and current network operations... [Companies will] use HPC and adaptive ML to implement real-time behavior and pattern analysis to evaluate all network activity based on individual user roles and responsibilities to identify potential individuals within an organization that exhibit "out of the ordinary" tendencies with respect to their use of corporate data and application access.

Ransomware and extortion will increase - Stephen Gates, chief research intelligence analyst at NSFOCUS

The days of single-target ransomware will soon be a thing of the past. Next-generation ransomware paints a pretty dark picture as the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan. We have already seen this start to come to fruition with the recent attack on the San Francisco Municipal Transport Agency, where over 2,000 systems were completely locked with ransomware and likely spread on its own as a self-propagating worm. As cybercriminals become more adept at carrying out these tactics, there is a good chance that these attacks will become more common.

As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks are on the rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. As leading manufacturers and grid power producers transition to Industry 4.0, sufficient safeguards are lacking. Not only do these IoT devices run the risk of being used to attack others, but their vulnerabilities leave them open to being used against the industrial organizations operating critical infrastructure themselves. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure. Not only is the potential scale of these attacks larger, most of these industrial firms do not have the skills in place to deal with web attacks in real-time, which can cause long-lasting, damaging results. This alone will become one of the greatest threats that countries and corporations need to brace themselves for in 2017 and beyond.

Industrial IoT hacks will increase - Adam Meyer, chief security strategist at SurfWatch Labs

IoT security threats have been talked about, but not really worried about by most because a serious incident had yet to occur. With the 2016 DDoS attack on Dyn, and the ripple effect it created, we will see more scrutiny on security within the IoT marketplace. Vendors will work in new security precautions, but at the same time, criminals will also increase their attention on new ways to leverage IoT devices for their own malicious purposes. There are plenty of "As-A- Service" attack capabilities on the Dark Web for hire now and we should expect creative new IoT hack services to pop up in the near future.

Internal threats will increase - James Maude, senior security engineer at Avecto

As organizations adopt more effective strategies to defeat malware, attackers will shift their approach and start to use legitimate credentials and software - think physical insiders, credential theft, man-in-the-app. The increased targeting of social media and personal email bypasses many network defenses, like email scans and URL filters. The most dangerous aspect is how attackers manipulate victims with offers or threats that they would not want to present to an employer, like employment offers or illicit content. Defenders will begin to appreciate that inconsistent user behaviors are the most effective way to differentiate malware and insider threats from safe and acceptable content.

A big part of the challenge with cyberattacks is how businesses think threats can be filtered at the perimeter. Be warned that this is not the case. Attackers are aware of how to directly target users and endpoints using social engineering. The industry needs to be more proactive in thinking about how to reduce the attack surface, as opposed to chasing known threats and detecting millions of unknown threats. With an increasingly mobile workforce and threats coming through both personal and business devices and services, the impact of perimeter defenses has decreased. Security needs to be built from the endpoint outwards.

Business security spending will increase - Ed Solis, Director of Strategy & Business Development at CommScope

Security is part of every business and IT discussion these days and it will only become more intense in 2017. We see an increase in the demand for video for surveillance, both for government and private businesses. This issue includes physical security—securing the building, people, and assets—as well as network and data security... In 2017, security conversations will continue to intensify around not only securing data and networks but physical security as well-think buildings, people, and assets. We also expect to see an increased demand for video surveillance across the public sector and private business.

Security will no longer be an afterthought - Signal Sciences' Co-Founder & Chief Security Officer, Zane Lackey

2017 will be a critical year for security, starting with how it's built into technology. DevOps and security will change the way they work together as they realize the need to integrate with each other in order to survive. With IoT on the rise, security will continue to be the primary obstacle preventing consumers from fully welcoming connected devices into their homes and lifestyles. Consumers and businesses are getting smarter and security vendors will be held more accountable in keeping them safe.

Security and Risk Online: Fake Retail Apps Are Surging Before Holidays

Hundreds of fake retail and product apps have popped up in Apple’s App Store in recent weeks — just in time to deceive holiday shoppers.

The counterfeiters have masqueraded as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like Zappos.com and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

“We’re seeing a barrage of fake apps,” said Chris Mason, chief executive of Branding Brand, a Pittsburgh company that helps retailers build and maintain apps. He said his company constantly tracks new shopping apps, and this was the first time it had seen so many counterfeit iPhone apps emerge in a short period of time.

Some of them appeared to be relatively harmless — essentially junk apps that served up annoying pop-up ads, he said.

But there are serious risks to using a fake app. Entering credit card information opens a customer to potential financial fraud. Some fake apps contain malware that can steal personal information or even lock the phone until the user pays a ransom. And some fakes encourage users to log in using their Facebook credentials, potentially exposing sensitive personal information.

The rogue apps, most of which came from developers in China, slipped through Apple’s process for reviewing every app before it is published.

That scrutiny, which Apple markets as an advantage over Google’s less restrictive Android smartphone platform, is supposed to stop any software that is deceitful, that improperly uses another company’s intellectual property or that poses harm to consumers.

In practice, however, Apple focuses more on blocking malicious software and does not routinely examine the thousands of apps submitted to the iTunes store every day to see if they are legitimately associated with the brand names listed on them.

With apps becoming more popular as a way to shop, it is up to brands and developers themselves to watch for fakes and report them, much as they scan for fake websites, said Ben Reubenstein, chief executive of Possible Mobile, a Denver company that makes apps for JetBlue Airways, the PGA Tour and the Pokémon Company, among others.

“It’s important that brands monitor how their name is being used,” he said.

Apple removed hundreds of fake apps on Thursday night after The New York Times inquired about the specific app vendors that created many of them. Other apps were removed after a New York Post article last week drew attention to some of the counterfeits.

“We strive to offer customers the best experience possible, and we take their security very seriously,” said an Apple spokesman, Tom Neumayr. “We’ve set up ways for customers and developers to flag fraudulent or suspicious apps, which we promptly investigate to ensure the App Store is safe and secure. We’ve removed these offending apps and will continue to be vigilant about looking for apps that might put our users at risk.”

In September, Apple also embarked on a campaign to review all two million apps in the App Store and remove “apps that no longer function as intended, don’t follow current review guidelines or are outdated.” The company says that a significant number of apps have been removed and that the review is continuing.

Despite Apple’s efforts, new fake apps appear every day. In some cases, developers change the content of an app after it has been approved by Apple’s monitors. In other instances, the counterfeiters change their names and credentials, and resubmit similar apps after one round of fakes is discovered.

“It’s a game of Whac-a-Mole,” Mr. Mason of Branding Brand said.

On Friday, for example, an entity calling itself Overstock Inc. — an apparent attempt to confuse shoppers looking for the online retailer Overstock.com — was peddling Ugg boots and apparel through a fake app that was nearly identical to one banished by Apple on Thursday.

The same Chinese app developer, Cloaker Apps, created both fake Ugg apps on behalf of Chinese clients.

Jack Lin, who identified himself as the head of Cloaker, said in a phone interview in China that his company provides the back-end technology for thousands of apps but does not investigate its clients.

“We hope that our clients are all official sellers,” he said. “If they are using these brands, we need some kind of authorization, then we will provide services.”

Mr. Lin said Cloaker charged about 20,000 renminbi — about $3,000 — for an app written in English.

But like so many of the apps his company produces, Cloaker is not what it purports to be. Its website is filled with dubious claims, such as the location of its headquarters, which it says is at an address smack in the middle of Facebook’s campus in Menlo Park, Calif.

In the interview, Mr. Lin at first said he had offices only in China and Japan. When asked about the California office, he then claimed to have “tens of employees” at the Facebook address.

China is by far the biggest source of fake apps, according to security experts.

Many of the fake retail apps have red flags signaling that they are not real, such as nonsensical menus written in butchered English, no reviews and no history of previous versions. In one fake New Balance app, for example, the tab for phone support did not list a phone number and said, “Our angents are available over the hone Monday-Firday.”

Data from Apptopia show that some of the fake apps have been downloaded thousands of times, although it is unclear how many people have actually used them. Reviews posted on some of the apps indicated that at least some people tried them and became frustrated. “Would give zero stars if possible,” wrote one reviewer of the fake Dollar Tree app. “Constantly gets stuck in menus and closes what you were doing and makes you start over.”

Mr. Mason says consumers want to shop online and they search for apps from their favorite stores and brands.

“The retailers who are most exposed are the ones with no app at all,” he said. Dollar Tree and Dillard’s, for example, have no official iPhone apps, which made it easier to lure their customers to the fake apps.

But the counterfeiters have also mimicked companies that do have an official presence in the App Store, hoping to capitalize on consumer confusion about which ones are real.

The shoe retailer Foot Locker Inc., for example, has three iPhone apps. But that did not stop an entity calling itself Footlocke Sports Co. Ltd. from offering 16 shoe and clothing apps in the App Store — including one purporting to be from a Foot Locker rival, Famous Footwear.

Similarly, the supermarket chain Kroger Company has 20 iPhone apps, reflecting the various retail chains in its empire. An entity calling itself The Kroger Inc. had 19 apps, purporting to sell things as diverse as an $80 pair of Asics sneakers and a $688 bottle of Dior perfume.

Some of the fake apps have even used Apple’s new paid search ads to propel them to the top of the results screen when customers search for specific brands in the App Store.

Jon Clay, director of global threat communications for Trend Micro, an internet security firm, said Apple’s tight control over the iPhone had historically kept malicious apps out of its App Store. Fake apps appeared more often on Google’s Android platform or on third-party app stores, he said.

But that is beginning to change. Shortly after the Pokémon Go game was released in the United States in July, for example, a spate of fake iPhone apps related to the game appeared, especially in countries where the game was not yet available.

“The criminals are going to take advantage of whatever is hot,” Mr. Clay said.