What Should I Know about Mobile Cybercrime?

The Internet has dissolved the geographical boundaries and technological limitations that have constrained organized cybercrime in the past. We now live with cybercrime syndicates based in the US, Russia, Asia and all over the globe. When hackers in the US are sleeping, the ones in China are flexing their fingers on their keyboards, and the ones in Eastern Europe are waking up. Cybercrime never stops.

The brave—and ballooning—new world of smartphones and tablets offers tremendous scope and volume for these organizations. Mobile devices run on different operating systems and use different apps from PCs and Macs, which presents opportunities to create new device-specific attacks.

Even more interesting, mobile devices require an entire ecosystem of businesses to make them work. Data you transmit or receive has to make it through a conga line of companies that can include your device manufacturer, wireless carrier, app developer, app store, website host and email provider. Motivated by money and information, criminals exploit flaws in the underlying software and information handoffs of each of these players.

Here are two examples of how malicious software (malware)—downloaded through a fake app, a phishing or text message, or from a website—can net the criminals your information.

Text messaging fraud – Cybercriminals have figured out how to incorporate text messaging (SMS) into banking frauds. When you log on to perform a transaction (like checking your balance), banks often send a validation code to your mobile device via SMS. Banks figure if you are logging onto their website through your mobile device, a separate authentication through text messaging will help ensure that it’s really you logging in and provide an extra layer of security. However, mobile malware can collect that validation code and send it, along with your account number, password and “secret” security question to a cybercriminal. The perpetrators repeat this process reliably, victim after victim, bank after bank.

Premium SMS scams. Other malware can run so-called “premium SMS” scams, where you get billed for sending text messages you didn’t consciously send, or receiving messages you didn’t ask for. The malware on your device is doing the communicating—and conceals any confirmation message so you won’t notice until your bill comes. Organized crime networks have the sophistication and relationships to put together these sorts of multifaceted moneymaking schemes.

These guys are good at their jobs—they are truly organized and professional. Everything they do is about monetizing your information—your personal life. That’s why it’s critical for you to educate yourself on why you need mobile security and what scams are out there.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

How Hackers Use Our Information Against Us

We hear an awful lot about hackers breaking into systems and taking down networks or stealing millions of data records. The general understanding we have for hacking is bad guys want to disrupt things to make a point or to make money. But how do they really use our personal information against us?

Whether you realize it or not, you expose a lot of your personal information online and even through the technologies you use. From information posted to social networking sites to data sent over unsecured wireless networks, you reveal bits of information that hackers can piece together to either scam or impersonate you.

This information is currency to hackers because it allows them to get what they want—your money. Or worse, a criminal can take your information and make you look really bad and completely tarnish your good name.

With your Social security number they can open various lines of credit under your name and never pay the bills, thus damaging your credit rating and creating a lot of work to for you to clear your name.

If they hack in to your devices and get your usernames and passwords then they can wreak some serious havoc. Banks accounts can be emptied, social media and email accounts can be used to scam your friends or disparage you or your loved ones, and if they access your medical accounts or history, you could be denied services when you need them most.

What all this means is you have to protect your devices and protect your personal information to avoid this from happening. To help protect yourself you should:

Use a firewall – Firewalls filter information from the Internet to your network or computer, providing an important first line of defense. If you have a home wireless network, make sure that the firewall on your router is enabled, and use a software firewall to protect your computer.

Use comprehensive computer security – Because there are a variety of ways in which hackers can access your information, you need to make sure that you employ a comprehensive security solution like McAfee® All Access to safeguard all of your devices.

Educate yourself – Keep up to date about the latest scams and tricks cybercriminals use to grab your information so you can avoid potential attacks.

Use common sense – Follow the old caveats about not clicking on links in emails and instant messages from people you don’t know, and always exercise caution when it comes to sharing any sensitive information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

 

What is a “Drive-By” Download?

Gone are the days when you had to click to “accept” a download or install a software update in order to become infected. Now, just opening a compromised web page could allow dangerous code to install on your device.

You just need to visit or “drive by” a web page, without stopping to click or accept any software, and the malicious code can download in the background to your device. A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device.

A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer.

These downloads may be placed on otherwise innocent and normal-looking websites. You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer.

Security researchers detect drive-by downloads by keeping track of web addresses that they know have a history of malicious or suspicious behavior, and by using crawlers to wander the Web and visit different pages. If a web page initiates a download on a test computer, the site is given a risky reputation. Links in spam messages and other communications can also be used as source lists for these tests.

The best advice I can share about avoiding drive-by downloads is to avoid visiting websites that could be considered dangerous or malicious. This includes adult content, and file-sharing websites.  Some other tips to stay protected include:

Keep your Internet browser, and operating system up to date

Use a safe search tool that warns you when you navigate to a malicious site

Use comprehensive security software on all your devices, like McAfee All Access, and keep it up to date

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Why are Cybercriminals Moving from PCs to Mobile Devices?

The number of households in the United States that rely solely on mobile phones continues to increase. As of July 2011, 31% of households had mobile phones and no landlines. Additionally, almost one in six households used mobile phones exclusively or almost exclusively, despite still having a landline.

This is the first time that adults (of any age range) have been more likely to go without landlines. Most likely, in one to two decades, the landline will be as obsolete as the rotary phone is today.

With almost half a billion smartphones shipped, sales of smartphones in 2011 outnumbered sales of all PCs. Tablets are counted as PCs, but they run Google Android and Apple iOS software just like smartphones do. If you add together smartphone and tablet sales, it’s clear the mobile device market is much larger than the traditional PC market.

The growth in sales volume of both smartphones and tablets creates a huge audience for mobile device software developers, both commercial and criminal. And since cybercriminals go where the numbers are, they are moving their attacks to mobile devices.

Whenever there’s a major transition in technology, the uncertainty and newness create a perfect opportunity for scammers to launch attacks. Hackers and other criminals are seizing the opportunity, creating swindles, malicious apps and viruses that suit their criminal purposes. And there’s no reason to expect them to stop before some other technology nudges aside mobile in popularity.

There are approximately 40,000 viruses targeting the Android operating system today. In Android’s young life, that’s astounding compared to a similar lifespan dating back to when Microsoft Windows was first launched.

So you need to make sure you protect yourself, because for most of us, our mobile devices are our most personal computers. Here are some things you should do to protect yourself:

Use a PIN to lock your device and set it to auto-lock after a certain period of time

Only download apps from reputable app stores, and review the app permissions to make sure you’re comfortable with what information on your device the app can access

Don’t store sensitive information on your phone like user names and passwords

If you use online banking and shopping sites, always log out and don’t select the “remember me” function and don’t access these site when using free Wi-Fi connections

Regularly review your mobile statements to check for any suspicious charges. If you do see charges you have not made, contact your service provider immediately.

Never respond to text or voicemail with personal information like credit card numbers or passwords

Never click on a link in an email, social networking site or message from someone you do not know

Use mobile devices security like McAfee Mobile Security, or McAfee All Access which protects all your devices

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

What You Should be Aware of When Using Your Android Device

As we all migrate towards using smartphones and tablets, we need to be aware of the risks associated with them. Most of us know that we need to protect our computers with security software, but we don’t always take that precaution with our mobile devices. In fact nearly 75% of Americans do not use mobile security software and 36% of us don’t even use a basic PIN to lock our devices.

And if you’re an Android user there are some things you want to be aware of.

Mobile malware is growing and mostly on Android – Android has become the most popular mobile platform for hackers to target, and this past quarter, McAfee Labs™ found that all new forms of malicious mobile software were aimed solely at the Android operating system (OS).

There are a number of factors why mobile malware is growing rapidly on the Android OS. One of which it is the fastest growing platform and has the largest share of the mobile marketplace, and by nature, cybercriminals go where the large numbers are.

Malicious mobile activity is growing via apps – the mobile malware growth above is mostly from bad apps. And these bad apps can do anything from access your contacts and send them emails to “see” everything you do on your mobile device including typing in your user name and passwords to your financial accounts.

Watch app permissions – Android developers can choose from over 150 different permissions that the app can access on your mobile device. Some of these include turning on your camera and recording what it sees, accessing all your contacts and even accessing your IMEI code (which is like your phone’s Social Security number)! You just need to be aware of the type of app and why it would need to access certain information so it’s not sending your personal information to hackers.

For the moment, the amount of detected smartphone malware is relatively low compared to malware that targets desktop or laptop PCs; but being aware that it exists is the first step toward protecting yourself and your data. Here are some steps you can do to protect yourself:

First and foremost, use a PIN to lock your device.

Like with your computer, be cautious when clicking on links, especially from people you don’t know. And make sure you have web protection software which will prevent you from going to malicious sites.

When downloading apps, do your research and check it out before downloading. Read the ratings and reviews and only purchase apps from well-known reputable apps stores.

When you install an app, make sure you review the permissions it’s accessing on your device. And use an app protection feature that warns you if your apps are accessing information on your mobile that it doesn’t need to.

Install a comprehensive mobile security solution like McAfee Mobile Security that includes anti-malware as well as web protection, anti-theft and app protection features. Or if you want to protect all your devices, including your mobile devices, you can use McAfee All Access that protects all your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Criminals Prefer Pheasting on Phish Over Spam

Most of us are aware of spam, and while we may think it’s just an annoyance, what’s really dangerous about it is the fact that most spam are phishing attempts. Phishing is when cybercriminals attempt to fraudulently acquire your personal information, such as passwords and credit card details, by masquerading as a trustworthy person or business in electronic communications, such as email, texts or instant messages.

Criminals have long known there’s a sucker born every minute. In fact, more than 9 million households have had at least one member who gave up their information to phishers. And in the first half of 2012, these cybercriminals netted over $680 million which may be one of the reasons that McAfee Labs™ saw the average number of phishing sites found each day, increase by 70% between January and September of 2012. They also found 3-1/2 times more phishing URLs than spam URLs for the first time ever. This means spam is losing favor (and flavor) to phishing as cybercriminals are tossing out wide phish nets.

Here’s a graphic that explains how phishing works:

capture 2

There are no depleted phish stocks in the sea of scamming, so to protect yourself from phishing you should:

Be suspicious of emails that ask for personal or financial information. Most banks and legitimate businesses will not send you an email asking you to provide this type of information.

If you suspect that an email or chat message may not be authentic, or you don’t recognize the sender, do not click any links included in the message.

Check your bank, credit and debit account statements regularly for any unauthorized transactions. If you notice any suspicious or unfamiliar transactions, contact your bank and/or card issuer immediately.

Make sure to keep your browser and operating system up to date and install any necessary security patches.

Use comprehensive security software, like McAfee All Access, on all your devices and make sure they include a safe search tool that identifies risky websites in email, chat, social networking sites and search engine results to protect you from phishing.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Protect Yourself from Tax Time Scams

Tax season is now upon us, and more than ever, we are opting for the convenience of filing taxes online (81% of us did in 2012). While filing online may be faster and more convenient, there is also some risk that you need to be aware of. During 2012, the IRS discovered  $20 billion of fraudulent refunds, including those related to identity theft, compared with $14 billion in 2011.*

Hackers have developed sophisticated methods to gain access to your financial information, and they are targeting consumer and small to medium sized business owners. Consumers and small businesses are the low-hanging fruit—the path of least resistance—because they don’t usually have as much security in place as larger companies.

The number of daily targeted attacks specifically aimed at small and midsize businesses more than doubled in the first six months of 2012. One of the best ways to help protect yourself is to be aware of these tax time scams. Some of these are:

Phishing scams: Unsolicited emails that appear to be from the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS) asking for personal information or stating you are being audited, are not to be trusted. The IRS does not contact taxpayers by email or social media tools. You should report this by sending the email to phishing@irs.gov . You may also see phishing scams from online tax companies like the recent TurboTax scam.

Fake IRS agents: Beware of scammers posing as IRS agents. They contact you via phone or email, and are often prepared with a few personal details (most likely garnered from your trash or social media sites), which they use to convince you of their IRS affiliation. If you are suspicious, check the IRS phishing page at IRS.gov/phishing to determine if it is a legitimate IRS notice or letter.

Rogue tax preparers. Be careful who you use if you have someone prepare your tax return for you. Some of these return preparers have been known to skim off some of your refund or charge inflated fees for getting you a larger return.  Make sure you use a reputable service if you are not doing your own taxes.

Here’s some additional tips that you should follow to protect yourself when filing online:

Protect your data. This means that all sensitive documents, including anything that includes tax or investment records, credit, debit or bank account numbers, or a Social Security number, must be secured from the moment they arrive in your mailbox.

Shred non-essential paperwork. Check with your accountant to determine what you need and what you don’t. Use a cross-cut shredder to destroy unneeded documents.

Go paperless. Whenever possible, opt to receive electronic statements in your inbox. The less paper in your life, the better.

File early. The earlier you file, the more quickly you will thwart any criminal’s attempt to file on your behalf and collect your refund.

Use a clean PC. Make sure you are not using a computer that is infected or does not have any security software. You should also make sure that the computer’s operating system and browser are updated and that you use up-to-date, comprehensive security software like McAfee All Access that protects all your devices.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Fake Friends Fool Facebook Users

The word friend is defined as “one who entertains for another such sentiments of esteem, respect and affection; an intimate associate.” But that definition seems to have gone out the window with the advent of social networks.

Studies show 50% of people will accept a Facebook “friend” or LinkedIn invitation from a total stranger. So do you consider the hundreds of friends on these social networks as people who you have an intimate affection for? Probably not.

This is why fraudsters have set up 15 million fake profiles that are used for spam and fraud. Just about anyone can set up a fake account on just about any website. Facebook and other social media sites are popular targets due to the amount of users on those sites and how much time people spend on those sites.

People share an awful lot of information including their birth date, high school, email, phone number, pet’s name, kids’ names, maiden name and more on social networking sites. The fraudsters then use this information to send you phishing messages to try and get access to your accounts and passwords. And, since these messages appear like they “know” you, they seem more legitimate and you are more apt to trust the message.
capturejcapture k

What can you do? Be a good friend to yourself and your true friends. Protect yourself.

Only friend people you know in the physical world, ones that you like and trust.

Beware of offers with the word “free” or that sound too good to be true.

Stop and think before you click. Be wary of links in chat, text and email as this is one of the main ways hackers can “hook” you.

Protect your devices. Use up-to-date, comprehensive security software on all your devices that has a safe search plug-in to protect you from going to malicious sites.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

What is a Botnet?

The word botnet or bot is short for robot network.  A botnet is a group of Internet-connected personal computers that have been infected by a malicious applica­tion (malware) that allows a hacker to control the infected computers or mobile devices without the knowledge of the device owners. When malware is launched on your computer or mobile device, it “recruits” your infected device into a botnet, and the hacker is now able to remotely control your device and access all the data on your device.

A botnet can consist of as few as ten computers, or tens or hundreds of thousands. Millions of personal computers are potentially part of bot­nets. Computers that aren’t properly secured are at risk of being turned into bots, or zombies.

Consumers’ and small businesses’ relaxed secu­rity practices give scammers a base from which to launch attacks, by allowing them to create botnets without being detected. Hackers use bot­nets to send spam and phishing emails and to deliver viruses and other malware and thus make money.

Here’s a graphic that explains how your device could easily become a “zombie” computer or part of a botnet.

Zombie-EN11

To stay protected, you should:

Don’t click on links from people you don’t know

Be cautious downloading content from peer-to-peer sites

Be wary of free downloads (is it really free?)

Keep your operating system and browser updated

Make sure you have updated security software for all your devices, like McAfee All Access

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

More Than 30% of People Don’t Password Protect Their Mobile Devices

Are you guilty as charged?

Whenever I bring this up in a group setting, it astonishes me how many people raise their hands. I wonder if they realize that they are putting all the personal information contained on their mobile device at risk. The unfortunate reality is that everyone loses things, and our devices can get stolen. And when that happens to your smartphone or tablet, it can be devastating.

Many of us use upwards of ten apps on our devices during a typical week. The majority of these apps are logged into our most critical accounts including email, text, banking, social media, payment apps and others that are linked to our credit cards. And because mobile app developers know that we are more apt to use their programs if they are easy to access and convenient to use, a lot of apps are programmed to automatically keep you logged in for days, weeks, months, or until you manually revoke access.

If your devices are not password protected and are then lost or stolen, your accounts are 100% accessible to whoever has control of your device. This is bad—and yet, 36% of us still do not use password protection!

According to a recent global survey by McAfee and One Poll, consumers seem largely unconcerned about keeping data on their mobile devices safe. For example, only one in five respondents have backed up the data on their smartphone and tablet, and more than one in ten (15%) save password information on their phone. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds the device.

Setting up a password or PIN is no guarantee that data will stay safe, and over half (55%) of all respondents admitted that they have shared these details with others, including their kids.

What’s particularly interesting is that men and women also behave differently with their mobile devices, not only in terms of how much risk they are willing to take, but also in terms of what they value.

Here are a few steps to make sure you and your mobile devices stay protected:

Password protect all your devices (and don’t use easy ones like 1234 or 1111)

Never use the “remember me” function on your apps or mobile web browser, and take care to log out of your accounts

Consider not sharing your PIN/password—this might be a tough one, but in the long run it will save you from possible heartacheUse a mobile security product like McAfee Mobile Security (and also McAfee All Access), that has not only anti-malware, but web protection and app protection. With app protection, not only are you warned if your apps are accessing information on your mobile that they shouldn’t, but in the event that someone does unlock your device, you can ensure your personal information remains personal by locking some or all of your apps

Stay educated on the latest ways to protect your mobile device. For a fun quiz to help you learn about mobile security, visit the McAfee Facebook page. Play the Mobile Mythbusters quiz and get a chance to win a Galaxy Tablet or Kindle Fire!

And if you’re at Mobile World Congress, stop by and see McAfee in Hall 3, Stand C34. If you show our team in the red shirts that you’ve liked them on Facebook or followed them on Twitter, you’ll get a prize!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!Disclosures.