Happy holidays: mobile maliciousness

Since the advent of Timofonica in 2000 there has been a buzz about mobile malicious threats. A boom of mobile malicious code development in 2004 resulted in infections in dozens of countries and thousands of devices. While this was troubling, a more significant and worrying trend driven by financial fraud is now exploiting the mobile device vector.

There has been a rapid surge in the adoption of mobile solutions such as Blackberry, iPhone and countless other smartphone devices since 2006. Millions of mobile device users rely on their hand-held solutions not only for voice communications but also to perform online banking, surf the Internet, check their email, and more. The reliance on and trust of such devices by the average consumer presents fraudsters with great opportunity.

Starting with more traditional forms of fraud, many ‘knock-off’ models of mobile devices exist globally, produced and sold in attempts to undercut legitimate market products with cheaper phones which apparently offer increased functionality. This type of brand-based fraud significantly impacts the mobile device market and is difficult for consumers to identify.

Social engineering threats are also a notable concern for mobile device users and are always escalated during the holiday period – targeted attacks are common and are potentially a higher risk at this time of year due to the nature of what and how people communicate with one another at this time. ‘Check this out’ and ‘holiday greetings’ are possible spoofed communication vectors for criminals targeting individuals with mobile malicious code. A multitude of ring-tone-based malcode threats will certainly also exist during the 2009 holiday period, impacting both PCs and mobile devices. Old-school social engineering tricks such as the downloading of porn are still in use to trick users into installing mobile device diallers that make outbound calls to premium lines at the expense of the victim. The social engineering vectors are almost limitless, as are the criminals’ opportunities for financial fraud.

Mobile device users are now receiving phone calls, SMS messages and emails requesting information about their credit card or other sensitive details. Fraudsters often have all the information they need but a CVV number to perform financial fraud and may engineer a call to a victim to acquire their CVV number. In some advanced cases of social engineering fraudsters have been known to call victims for a one-time password (OTP) value generated from a token used by a victim. If the victim gives out the OTP the fraudsters cash out in real time – often while the victim is still speaking with them on the phone.

Vishing attacks are also on the rise, where VoIP technology is exploited to automate out-of-band broadcast calls to large numbers of mobile devices and/or land lines. The goal is to trick users into entering sensitive details over the phone into an interactive voice-recorded and softphone system on a remote VoIP server. Many consumers don’t understand this new type of attack vector and how caller ID can easily be spoofed via VoIP. If reported, these attacks are typically over by the time the authorities attempt to stop and/or investigate them.

As you prepare for the holiday rush, are you planning on purchasing a smartphone device for yourself or as a gift for a loved one? Can you be sure it’s a legitimate phone from a trusted brand? After purchasing the device do you know the common best practices for that device to limit the threat vectors? Are you fully aware of the numerous ways that fraudsters will attempt to compromise your device or trick you into revealing sensitive information for financial fraud?

While VB readers will understand these threats rather well, most average users of smartphone devices do not and will never understand all of the above (nor want to). The security challenges that lie ahead of our industry are great in light of the challenges identified to date for the mobile market.

Latest articles:

Bulletin Archive