The internet has dissolved the geographical boundaries and technological limitations that have constrained organized crime in the past.
We now live with crime syndicates based in Russia, espionage sponsored by Asian nation-states, and botnets for sale on the black market as criminals connect anonymously around the globe.
Cybercriminals are organizing like never before—constantly learning from each other as they connect by sharing software toolkits, infected (“zombie”) computers they control, and industry insight. When one person or group finds a security exploit, other criminals take advantage of it before security and other software vendors know there’s a problem.
When hackers in the US are sleeping, the ones in China are flexing their fingers on their keyboards, and the ones in Eastern Europe are waking up. Cybercrime never stops.
The brave—and ballooning—new world of smartphones and tablets offers tremendous scope and volume for these organizations. Mobile devices run different operating systems and application software than PCs and Macs, which presents opportunities to create new device-specific attacks. Even more interesting, mobile devices require an entire ecosystem of businesses to make them work. Data you transmit or receive has to make it through a conga line of companies that can include your device manufacturer, wireless carrier, app developer, app store, website host and email provider. Motivated by money and information, criminals exploit flaws in the underlying software and information handoffs of each of these players. If a user also accesses work data and systems from a personal device, the rewards could be twice as great.
Here are two examples of how malware—downloaded through a fake app, a phishing or text message, or from a website—can net the criminals your information.
Text messaging fraud.
Some criminals have figured out how to incorporate text messaging into banking frauds. When you log on to perform a transaction (like checking your balance), banks send a validation code to your mobile device through text messages. Banks figure if you are logging onto their website through your mobile, a separate authentication through text (SMS) messaging (not the website) will ensure that it’s really you. However, mobile malware can collect that SMS code and get the information to the criminal, along with your account number, password and “secret” security question. The perpetrators repeat this process reliably, victim after victim, bank after bank.
Premium SMS scams.
Other malware can run so-called “premium SMS” scams, where you get billed for sending text messages you didn’t consciously send, or receiving messages you didn’t ask for. Your malware does the communicating—and conceals any confirmation message or premium SMS messages so you won’t notice until the bill comes. Organized crime networks have the sophistication and relationships to put together these sorts of multifaceted moneymaking schemes.
These guys are good at their jobs—they are truly organized and professional. Everything they do is about monetizing your information—your personal life.
Read more posts by Robert Siciliano, Online Security Expert to McAfee and blogger for JenningsWire.
