Business Identity Theft; Big Brands, Big Problems

Cyber criminals go after brand names like vultures, infiltrating company websites, hijacking mobile applications and tainting online ads, among other tricks.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Some corporate websites aren’t as secure as business leaders think they are—and cyber thieves know this. They use the “watering hole” technique to infiltrate the system. Ever see an animal TV show in which the lions wait in the brush, camouflaged, for their unsuspecting prey to approach the lone body of water? You know the rest.

Think of the company’s website as the watering hole. The company typically uses “landing pages” to entice people to their main site, but leave the landing pages up after they’ve served their purpose. Here’s where trouble starts, fewer resources are devoted to monitoring or updating these pages, allowing hackers to pounce on the vulnerabilities and insert malicious code, luring visitors to malicious sites using the trusted reputation of the brand..

Ultimately, the brand name becomes associated with this. Some examples as reported by Forbes.com:

  • The nbc.com home page was infected with the Citadel/Zeus installation malware.
  • The U.S. Veterans of Foreign Wars’ website was infected with malware.
  • Third-party app stores are a source of downloaded malware, since these are usually un-policed. Apps can be repackaged with mal-code, creating an association of bad with the brand name of that app. The mal-code could gather personal data on the purchaser, which is then sold to data brokers, violating user privacy, making the user think pretty negatively about the brand name.
  • Malvertisements are malicious ads that crooks place on legit websites. These normal-appearing ads spread bad things around, and do NOT have to be clicked to trigger a viral attack.
  • Banner ads can also be the target of injected mal-code.
  • These clever crooks will even pose as an actual name-brand company and put up legitimate ads on a website, but then replace those with mal-ads over the weekend—which go undetected because IT departments are lax on the weekends. After oh, say, a few million computers and mobiles are infected, the thieves stick the original, legit ad back in, which makes their crime difficult to track.

Third-party networks place a lot of ads, making it very hard to hunt down malvertising fraud. This complexity can make it virtually impossible for companies to protect themselves against 100% of malicious attacks.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.