“Old” Malware Attacks Rising Significantly

Earlier this week McAfee Labs™ released the McAfee Threats Report: First Quarter 2013, which reported that malware shows no sign of changing its steady growth, which has risen steeply during the last two quarters.

Many of the most significant growth trends from previous three quarters actually went into remission, while older types of attacks and what can only be called “retro-malware” experienced significant new growth.

The resurgence of these “retro-malware” includes:

Koobface: This worm targets Facebook, Twitter and other social networking users was first discovered in 2008, and had been relatively flat for the last year yet it tripled in the first quarter of 2013 to levels never previously seen. That’s a record high point and double the size of the prior mark, set in the fourth quarter of 2009. The resurgence demonstrates that the cybercriminal community believes that social networking users constitute a very target-rich environment of potential victims. To avoid falling victim make sure you are careful of what links you click on in social media sites—don’t fall for those too good to be true deals!

Mobile Malware:  Android malware continued to skyrocket, increasing by 40% in Q1. Almost 30% of all mobile malware appeared this quarter. While the overall growth of mobile malware declined slightly this quarter, McAfee Labs expects to see another record year for mobile malware. You need to be proactive and protect your mobile devices with comprehensive security software and pay attention to social engineering attempts to get you to give up your personal information.

Suspect URLs: Cybercriminals continued their movement away from botnets and towards drive-by downloads as the primary distribution mechanism for malware. At the end of March, the total number of suspect URLs tallied by McAfee Labs overtook 64.3 million, which represents a 12% increase over the fourth quarter. This growth is most likely fueled by the fact that these malicious sites are more nimble and less susceptible to law enforcement takedowns. You should take care to make sure you’re using a safe search tool to visit sites that you know are safe before you click.

Ransomware: Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen. With ransomware, cybercriminals hold your computer or mobile device files “hostage” and insist on payment to unlock it. But there are no guarantees that they will “free” your device after you pay. One reason for ransomware’s growth is that it is a very efficient means for criminals to earn money and various anonymous payment services make it hard to track them down. The problem of ransomware will not disappear anytime soon. You should always take precautions to back up your valuable data.

AutoRun malware:  Traditionally, AutoRun worms were distributed via USB thumb drives or CDs. This type of malware can allow an attacker to take control of your system or install password stealers. AutoRun malware has risen rapidly for two quarters and reached a new high, with almost 1.7 million new threats. The spike is likely being driven by the popularity of cloud-based file-sharing services. Having comprehensive security that automatically scans all devices that are attached to your computer and scans your hard drive is a must to protect against this.

Spam: After three years of stagnation, spam email volume rose dramatically. McAfee Labs counted 1.9 trillion messages as of March, which is lower than records levels, but about twice the volume of December 2012. One significant element behind this growth in North America was the return of “pump and dump” spam campaigns, which targeted would-be investors hoping to capitalize on all-time equity market highs.

 

We are facing an uphill battle against the growing threats and attacks. Fortunately we can protect all our devices including PCs, Macs, smartphones and tablets with one solution, McAfee LiveSafe. Of course you should still take care to educate yourself on the latest threats and techniques that cybercriminals use and be suspicious of anything that doesn’t seem right.

Stay safe!

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

5 More Mobile Security Tips

A cybercriminal’s full time job is creating new crimes, and he or she will make full use of technology to hide their activities to fool you. And with mobile devices, this is no different.

The threat to our mobile devices is also high because our smartphones are always connected, they usually carry some personal data, and they are even equipped with small cameras, microphones, and positioning devices (just like the spies carried in old movies). And because there are more built-in devices options (like cameras and microphones) compared with computers, it makes the operating systems and apps more complex, increasing the way that cybercriminals can take advantage of any security holes.

But you can focus on doing some things that will help you be more secure when using your mobile devices. We provided five tips here and now here’s five more:

Be careful when “checking in” on social sites: Facebook, FourSquare and other geo-location programs are fun and sometimes you can score some deals for “checking in” at locations, but you also want to be cautious of letting people know where you are – especially if you’re away from home. And you also may want to consider disabling the GPS (global positioning system) on your smartphone or tablet so your photos don’t’ have latitude and longitude information embedded into them when you share them.

Don’t remember it-forget it: Don’t set user name and passwords to be remembered in your mobile browser or in apps and make sure you always log out of accounts when you access them. And like on your computer, make sure you use strong passwords and different passwords for each of your accounts.

Be careful what you share: Yes it’s fine to stay in touch with our friends and family via social networks, but be careful what you share. Even if your privacy settings are set to only let your friends see the information, it’s best to take the approach that once something is online, it lives forever. Think if you’re really ok with your grandmother or boss to see that update, picture or video.

Don’t text or email personal information: While this might seem pretty basic, we may find we need to share credit card numbers or personal details with another person. But this should be done via a secure site or app or use your mobile’s other function (the basic phone part). Emails and texts can be intercepted and then your information can fall into the wrong hands. Also remember that legitimate organizations like banks will not ask you to text personal details like that so if you see requests like that, it’s most likely scam.

Turn off your Bluetooth: If you’re not using this connection, it’s best to turn it off. Not only will this help save your battery life, but it prevents hackers from accessing your device through this technology. Many devices are preset to use default settings that allow other users to connect to your device, sometimes without your knowledge. In some cases, hackers can access a phone’s contacts, calendar, text messages, and more.

 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Why it’s Critical to Protect Data on Digital Devices

When devices are lost or hacked and your data is exposed, not only is this a pain to deal with, but you could become a victim of identity theft. Not only do victims of identity theft suffer loss of time  but they also lose money that may not be able to be recovered . In McAfee’s recent study, they found on average that people have over $35,000 worth of digital assets stored on their digital devices, further demonstrating the need to protect your personal data on all of your digital devices.

Studies show that identity theft can take anywhere from one hour to 600 hours to rectify, and so dealing with multiple breaches can potentially add up to several wasted years of your life. Other studies have shown that as many as 25% of victims never fully restores his or her compromised identity. The victim has to deal with it for life. It’s just a constant administrative process that never goes away.

For some people, the consequences of identity theft include financial ruin, wrecked marriages, lost jobs or emotional distress. It can be like a recurring plague. Identity theft is not something you want to happen to you or anyone you love.

What are the most effective ways to protect the data on your devices?

Be careful what you store on your devices. Passwords, driver’s license numbers, credit cards, tax statements—all of these can be used to steal your identity.

Be vigilant about what you post online—Remember online is forever and also hackers use online properties to find out information about you and then use this information to try and lure you to giving them more information through phishing and other tactics.

Use strong passwords—this is often the first line of defense against hackers. Remembers passwords should be at least ten characters in length and ideally use a combination of upper and lower case letters, numbers and symbols and not spell any words or use things like pets’ names or birthdays.

Protect all your devices—PCs, Macs, tablets and smartphones with comprehensive security, likeMcAfee® LiveSafe that includes:

Basic security like antivirus, anti-spyware, anti-phishing, anti-spam and a firewall

Remote locate and lock software to track and lock your PCs, tablets and smartphones if they are lost or stolen.

Password management software to help you securely manage all your usernames/passwords and with one click securely login to any site from any of your devices.

Secure online storage for your most sensitive documents that is only accessible with your face and voice.

Our use of digital devices bring great flexibility and convenience that most of us have come to rely on. It’s up to us to also take steps to make sure we are protecting ourselves and our family, our data and identity.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Weak Passwords Can Cost You Everything

If your computer or mobile was hacked or your passwords were cracked and your data was lost or if all the websites you have an account with were hacked and all that information was the hands of a criminal, how devastated will you be?

In McAfee’s study on the value of digital assets, consumers estimated the total value of all their digital assets on multiple devices at an average of $35,000. Digital assets include: music downloads, videos, photos, apps, emails, text messages, health/financial/insurance records, resumes/CVs, portfolios, contacts, recipes, etc.

Nowadays, if you’re shopping, banking or using social media sites online, you need a user name and password. If you’re like most people, you probably take the easy way out and use the same user name and password for every new site you access.

The challenge is that some sites let you use numbers and symbols in your password and some don’t, or the user name you want may be taken. And an even bigger problem is with all those valuable assets we store on our devices, you are leaving yourself open to exposure by using the same password everywhere—if one account ends up getting hacked, all your accounts could be hacked.

Did you know that?

Over 60% of us have 3+ digital devices

55% of us store digital assets on these devices that would be impossible to recreate, re-download or re-purchase

Over 75% of us visit 5 or more sites regularly that require passwords

63% of us use easy to remember passwords or use the same password for most sites

17% of us do little to nothing to protect our passwords

You need a better plan

Make sure you use different passwords for each of your accounts

Always log off if you leave your device and anyone is around and don’t use the “remember me” function on your browser or mobile apps

Avoid entering passwords on computers you don’t control (like computers at an Internet café or library) or when using unsecured Wi-Fi connections (like at the airport or a coffee shop)

Don’t tell anyone your password—your trusted friend now might not be your friend in the future

Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.

Use comprehensive security software on ALL your devices (not just your PC!), like McAfee®LiveSafe, that comes with a password manager that securely stores your usernames and passwords to your favorite sites, and logs in for you—with just one click

Here’s some tips on how to create a strong password. Remember, your password is often your first line of defense—protect yourself!

And don’t forget to play The $35,000 Question game on Facebook for a chance to win some prizes, while learning about protecting your digital assets!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

What are My Risks with My Mobile Device?

Mobile technology is the new frontier for fraudsters. Today, there are more wireless devices than American people. Mobile devices connect to the Internet and have much of the same information and capability as a personal computer.

Your device and the private data it holds are very, very attractive to thieves. Yet, most of us don’t protect our smartphones or tablets—and the private information they contain—anywhere near as well as we do our wallets and PCs.

We make life easy for them. The places and ways that we use smartphones and tablets offer new chances for criminals to catch us off our guards—in the coffee shop, on the train, while shopping. When we are using our mobile devices, we usually have other things happening around us as well as on the device. We are easily distracted. And we want what we want now. Click to download. Click to view. Click to get a free app. Few of us take the time to “think before we click.”

We store passwords, bank account information, photos, and all our contacts on these devices so we can be even more fast and efficient as we live our mobile lives. That’s why 51% of us would rather lose our wallets than our mobile phones.

Some of the things you can expose yourself to if you don’t protect your mobile device include:

Financial fraud: Someone takes over your bank account, extracts money, or sets up a premium text scam where you pay for messages you don’t want.

Identity theft: By having information about you, someone can pretend to be you and sign up for credit cards, identity papers—even buy a car. It can take years to recover your good name.

Privacy loss: Someone gets information about you that you don’t want out there, including social network activities, GPS location, searches, texts, instant messages, downloads and app usage. This information could be just embarrassing—or it could cost you a friendship, a job, your credit rating or a chance for college.

Losing your device: In addition to having to buy a new device (unsubsidized by the operator), you can give a thief the information needed for the fraud, identity theft and privacy loss mentioned above.

To ensure that you protect your smartphone and tablet you should:

Don’t click on links in texts or emails, since these links may actually point toward malicious downloads

Keep your device with you, don’t let it out of your sight and don’t share it with others.

Make sure to have a pass code on your device and set it to auto-lock after a certain period of time

Before downloading any app, check other users’ reviews to see if it is safe, and read the app’s privacy policy to make sure that it is not sharing your personal information

Carefully review your mobile phone bills for any anomalies

Use comprehensive mobile security that include anti-theft, antivirus and web protection like McAfee Mobile Security or McAfee All Access

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

What is malware and why should I be concerned?

“Malware” is a shortened version of the words malicious software. It is defined as: a generic term used to describe any type of software or code specifically designed to exploit a computer/mobile device or the data it contains, without consent.

Most malware is designed to have some financial gain for the cybercriminal. Whether they are seeking your financial account information or holding your computer files for ransom or taking over your computer or mobile device to “rent” it out for malicious purposes to other criminals, they all involve some sort of payment to the cybercriminal. And because they are making money with malware, they continue their malicious ways.

There are a number of ways that malware can get “on” your computer or mobile device. You might open an attachment from someone you know whose files have already been infected. You might click a link in the body of an email or on a social networking site that automatically down­loads a virus. You might even click an ad banner on a website and end up downloading a virus or malware (known as “malvertising”). Or just by visiting a site you could get infected from what is called a drive-by download. Malware is also spread by sharing USB drives and other portable media.

And, now that mobile phones and tablets are basically mini computers, cybercriminals are targeting mobile devices. They are taking advantage of the inherent nature of the device to spread the malware, so as a mobile user you not only need to be aware of the same tricks cybercriminals use for computers, but also ones that apply to mobile devices.

Currently most mobile malware is spread by downloading an infected app so you need to be aware of what sites you download apps from and what permissions it accesses on your mobile device. Mobile malware can also spread via text messages (SMS). Scammers send phishing messages via text (called SMiShing) to try and lure you to give up personal or financial information or sign you up to premium text messages unknowingly.

What does this mean for you? You need to be aware of these tricks and scams as it could mean financial loss, reputation harm and device damage to you and your friends.There are things you should do to protect yourself, including making sure you protect all your devices with a cross-device security software like McAfee All Access. You should also make sure to:

Keep your operating system and applications updated, as updates often are to close security holes that have been exposed

Avoid clicking on links in emails, social networking sites, and text messages, especially if they are from someone you don’t know

Be selective about which sites you visit and use a safe search plug-in (like McAfee SiteAdvisor which is included with McAfee All Access) to protect you from going to malicious sites

Be choosy about which apps you download and from which sites you download them and be sure to look at the permissions for what information its accessing on your mobile device

Be smart and stay aware about cyber tricks, cons, and scams designed to fool you

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen.  Disclosures.

Yes, There are “Mother’s Day” Scams

With Mother’s Day just around the corner, cybercriminals are working up ways to take advantage of this time when you’re online looking to buy flowers, candies, perfumes, jewelry or whatever gifts for mom might be hot this year. Phishersfollow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays and the change in seasons. They also capitalize on significant events and natural disasters.

They are trying to get you to click links that will either infect your PC with malware, or visit a website that offers you too good to be true deals on gifts for mom. If you download malware from a bad link, everything you type into your computer could be recorded by the cybercriminal, you could be unknowingly sending them your personal information, or the malware could render your machine useless. Entering your personal and credit card information on a fake site could results in charges on your card, never receiving the item you “purchased, “ and even the possibility of new cards opened in your name.

To help make this Mother’s Day enjoyable for you and your mom, make sure to follow these steps when shopping online:

Be wary of offers that are too good to be true—the usually are.

Always be suspicious when you receive an email or text message from a company asking for personal information—legitimate companies do not ask for personal information in emails or texts

Don’t click on a link in emails, texts, or chats from someone you don’t know

To ensure you’re visiting the correct site, type the store site URL into your browser’s  address bar or use a safe search plug-in, like McAfee® SiteAdvisor® , that comes with McAfee® All Access, and shows you in your browser search results if a site is safe or not.

Use comprehensive security software on all your devices that includes anti-spam and malware protection.

Make sure you protect yourself so you don’t get your credit card maxed out and then go crying to your mom on Mother’s Day.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Are you Hackable or Uncrackable? “Password Day” is Today!

Yes, such a day exists and it’s today, May 7th 2013. Intel and McAfee are working to make sure consumers increase their security awareness and front line of digital protection by asking everyone to change their passwords today.

Reuse of passwords across multiple sites is a big problem. In the digital world, many of us are much more vulnerable than we need to be. For example, it’s very likely that your Amazon password is the same as your Gmail password and also the same one you use for online banking and your Facebook account.

In fact, 74% of Internet users use the same password across multiple websites1, so if a hacker gets your password, they now have access to all your accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft and financial loss.

And what’s worse is that many people use simple, easy to guess passwords. A recent study found that the most common passwords people use are “password,” “123456,” and “12345678.”2 No wonder cybercriminals are finding it so easy to get into our accounts.

The solution is as simple as changing your habits. Take a moment to protect yourself in a basic area of security, and you can save hours of trouble. In fact you can test how hackable your password is with this tool from Intel.

If you need help moving from just one password, here’s a trick: Use one for your bank accounts, another for email and social networking accounts, so if your email account gets hacked, your bank account isn’t compromised. For more tips on how to create a simple, secure password, read this article.

ChangedMyPasswordInfographicTall

Here are some other tips to protect your password:

Avoid logging onto sites that require passwords on public computers, such as those at an Internet café or library—these computers may contain malware that could “record” what you are typing.

Avoid entering passwords when using unsecured Wi-Fi connections, such as at an airport or in a coffee shop—your passwords and other data can be intercepted by hackers over this unsecured connection.

Don’t use the “remember me” function on your browser or within apps—if you walk away or lose your device, someone could easily login to your accounts.

Use comprehensive security software on all your devices, like McAfee All Access, and keep it up to date to avoid malware that could “see” what you are typing on your device or unknowingly send data to hackers.

Password Day is more than a day, it’s a way of life. Don’t leave the backdoor to your life open. Pledge to change yours today.

For more information, join @Intel@McAfeeConsumer@StopThnkConnect and @Cyber (the Department of Homeland Security) for a tweet chat today at 3pm ET on protecting your passwords. To participate simply use the hashtag #ChatSTC.

 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Do I Need to be Concerned About Cybercrime?

The short answer is yes! You should be concerned. And even if you’re not concerned for yourself, with the Internet all of us are interconnected so cybercrime does not just affect one person or one group, but all of us.

Imagine your body being targeted by 100 million viruses. That is exactly what cybercriminals are doing to your networked digital devices. Laptops, desktops, Macs, iPads, iPhones, BlackBerrys, Androids and Symbian mobile phones are all at risk. Research from McAfee Labs reveals a variety of threats that exist “in the wild” that you need to be aware of.

Malware: For 2012, new malware sample discoveries increased 50% with more than 120 million samples. The nature of the threats aimed at PC users continues to become more dangerous and sophisticated as the cybercriminals invent new ways to disguise their activity. PC-targeted malware saw an increased growth in drive-by downloads (read my blog on this), which allows a cybercriminal to surreptitiously download malware from a website without your knowledge. Cybercriminals have clearly figured out that user authentication credentials constitute some of the most valuable intellectual property that can be found on most computers.

Spam and phishing: Believe it or not, spam volume has decreased…to a mere one trillion messages per month. McAfee Labs has observed major developments in targeted spam, or what’s often called “spear phishing.” By using information they collect about you, spear phishers create more realistic messages that increase the chance you will click.

Bad URLs: The number of new suspicious URLs increased by 70% in Q4 2012, averaging 4.6 million new, suspect URLs per month. This is almost double the previous 2.7 million per month figure from the last two quarters. 95% of these URLs were found to be host malware, exploits or code designed specifically to compromise your computers.

Mobile: The number of mobile malware samples discovered by McAfee Labs in 2012 was 44x the number found in 2011. This means that 95% of all mobile malware samples ever seen appeared in the last year. Also cybercriminals are now dedicating essentially all of their efforts to attacking Android, with 97% of malware samples found in the last year aimed at this one operating system.

Besides the proliferation in the amount of mobile devices, there are a number or reasons why cybercriminals are targeting mobile including:

Valuable information that can be found on your mobile devices, including passwords and contacts and the fact that 36% of users lacking basic protection such as a PIN to lock the device

New “opportunities” to make money, such as malware that sends premium text messages that you get charged for but not notice on your device

The fact that some users “hack” their phones to customize the interface or add functionality, thus allowing hackers to exploit the device’s vulnerabilities

The ability to install malware that blocks software updates from your carrier – some of which are designed to protect against security holes

The threat landscape continues to evolve on many fronts in ways that threaten both consumers, small-to-medium-sized businesses and large enterprises. This is why it is critical for you to use comprehensive security software on all your devices, like McAfee All Access, and keep it up to date.

Source: McAfee Q4 2012 Threats Report

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

5 Signs You Are About to be Scammed

Smart people are scammed every day because they think it can’t happen to them or they just aren’t aware of the scams. And the scammers have gotten very good at disguising their scams, so it’s often hard to recognize them.

Scamming generally involves a form of social engineering. Social engineering is the act of manipulating people into performing actions or divulging confidential information. It relies on human interactions, such as trying to gain confidence of someone through trickery or deception for the purpose of information gathering, fraud, or device access. This can take many forms, both online and offline.

Smart criminal hackers use social engineering as a very effective tool and as a part of their strategy when gathering information to piece together the parts of their scams. In my opinion, it’s just a fancier, more technical form of lying.

Social engineering has always been a “person-to-person” confidence crime. Once the scammer gains your trust, they use this information against you in the hopes of gaining access to your finances.

Be confident in your ability to outsmart the bad guys. Here’s five things you should know:

Don’t click links in emails, text messages, chat. Any link, whether shortened or not, can point to somewhere it shouldn’t. If you need to click on the link, make sure you have security software installed that will block you from automatically being directed to a malicious site.

Be wary of multiple recipients and who the email is from. If the email is going to you and a dozen other people, or it’s from your bank but the from email address is: yourbank@gmail.com, then you should be suspicious.

Note generic/spammy/nonexistent subject lines. Look in your spam folders. There are some pretty ridiculous subject lines, right? If something like that shows up in your inbox, delete it.

Down with scammer grammar. If it is SPELD rong or IN ALL CAPs or ,has ,those ,stupid ,commas in the wrong ,place, it’s a scam.

Urgency or ridiculous requests. There is no hurry; you didn’t win anything and your uncle from Latvia didn’t leave you any money. Just delete ‘em.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)