Bad Ads Outstrip Porn as Mobile Phone Infection Vectors
Mobile ads increasingly are being used as part of many social engineering attacks. "Malvertising is a very effective way to infect unsuspecting users with malware, because it can exploit browser vulnerabilities both known and unknown," said Dana Tamir, director of enterprise security at Trusteer. One way to foil malvertisers is with an ad blocker, though it's a partial solution at best.
03/11/14 7:20 AM PT
Trawling porn sites used to be the best way to pick up an electronically transmitted disease on your smartphone. That's not the case anymore.
Every one in five times a mobile user is redirected to a malware site on the Internet, it's done through a malicious ad, according to a report released last week by Blue Coat. That's three times what it was two years ago.
One reason malicious ads have been able to outperform porn sites is they can garner more traffic than the smut peddlers.
"We're seeing a shift in mobile user behavior," said Sasi Murthy, vice president of product marketing security at Blue Coat.
"We're seeing an increase in recreational usage for mobile users around shopping and entertainment," she told TechNewsWorld. "When we contrast that with the desktop world, recreational usage for mobile users is double."
"Our friends in the cybercrime world are going to be focused on the same kinds of behaviors we are -- but for different purposes -- and set their strategies based on those behaviors," she continued. "So it makes perfect sense from a cybercrime strategy to start to use a vector like malvertising."
Increasingly, mobile users are being subjected to more ads -- even more so than PC users -- as sites everywhere continue to refine their mobile advertisement strategies, the report notes. "This is a particularly worrying trend as it coincides with a significant increase in malvertising."
While mobile users are not yet subject to the same drive-by downloads that PC users face, the report acknowledges, mobile ads increasingly are being used as part of many social engineering attacks.
Making matters worse, the increased frequency of mobile ads conditions users to see them as normal, which makes users more vulnerable to the attacks that are launched through ads, it points out.
"Malvertising is a very effective way to infect unsuspecting users with malware, because it can exploit browser vulnerabilities both known and unknown," Dana Tamir, director of enterprise security at Trusteer, told TechNewsWorld.
One way to foil malvertisers is with an ad blocker, although they have been known to prevent some Web pages from executing properly.
"Ad blockers can lessen the chance of infection a ton," Gary McGraw, CTO of Cigital, told TechNewsWorld, "but it's not going to solve the problem."
"The real answer," he said, is "you shouldn't surf around randomly with a machine that has content on it you care about."
Sky Not Falling
The clock is ticking for Windows XP users: Microsoft is cutting off support to the operating system on April 8. That means no more security updates, but it doesn't mean the end of the world for XP hangers-on.
"The sky isn't going to fall -- at least not right away," Sean Sullivan, a security researcher with F-Secure Labs, told TechNewsWorld.
The big problem with Windows XP, which is running on around 20 percent of the PCs in the developed world, is that if it gets infected, it's difficult to disinfect, because the OS contains fewer technologies that make life difficult for malware compared to later versions of Windows.
"Once an XP machine is infected with malware, it can really get rooted in," Sullivan explained. "That's been the problem in the past and it will be the problem post-April 8."
Nevertheless, some Cassandras have been predicting an Xpocalypse after the cutoff date. They believe hackers are sitting on their choicest XP exploits and will unleash them when they know Microsoft won't be coming to the rescue of the users of the orphaned OS.
"I'm skeptical of that," Sullivan said. "Most of the vulnerabilities have already been traded in the market. I don't think there's anything that's going to be sprung on consumers."
That doesn't mean there won't be any new XP issues.
"If something wormable is released in May, then we're going to have a real problem," Sullivan said.
Data Breach Diary
- March 3. Twitter resets passwords of less than 1 percent of its users due to a system error.
- March 3. Sands Casino location in Bethlehem, Pa., notifies tens of thousands of slot and table game players registered with the gambling facility that their Social Security and driver's license numbers, and possibly credit card and banking info, may have been exposed during a data breach in February.
- March 3. eSecurity Planet reports L.A. Care Health Plan is informing an undisclosed number of customers that their personal information may have been compromised by a manual information processing error that allowed some members of the plan to see payment of other members at the plan's website.
- March 4. AppRiver releases survey results showing that 71.4 percent of security professionals believe that the most frequent point of failure for IT security is people.
- March 5. Federal prosecutors drop most charges against Barrett Brown, a self-proclaimed spokesperson for the hacker collective Anonymous. Brown still faces charges of possession of stolen credit card numbers with intent to defraud and threatening an FBI agent.
- March 5. Target Chief Information Officer Beth Jacob resigns. During her time on the job, Target suffered one of the largest data breaches in history of networked computing, with 40 million payment card numbers compromised and 70 million customer records stolen.
- March 5. SailPoint releases survey results showing that 82 percent of companies have embraced BYOD, but 41 percent of those companies do not have controls in place to manage those devices. Forty-six percent of companies are unable to manage employee access to applications across their full IT infrastructure, based on the poll.
- March 6. Comics fan site Comixology resets all its members passwords after a data breach compromises a database containing user names, email addresses and encrypted passwords.
- March 6. Lookout discovers app in Google Play Store containing Dendroid, a Remote Access Toolkit for Android devices. The malware can take pictures using a phone's camera, record audio and video, download existing pictures, record calls, send texts and more. Although the app evaded Google's initial detection systems, it subsequently was removed from Google Play by Google.
- March 7. Electronic Privacy Information Center and the Center for Digital Democracy file objection with Federal Trade Commission to FaceBook purchasing WhatsApp for US$19 billion because it will violate WhatsApp users' understanding of their exposure to online advertising and constitutes an unfair and deceptive trade practice.
Upcoming Security Events
- March 10-11. BSides Vancouver 2014. Best Western Plus Chateau Granville, Vancouver, BC. Free.
- March 12-23. ICS Security Summit. Contemporary Hotel, Lake Buena Vista, Fla. Sponsored by SANS. Cources range from $1,700-$4,595.
- March 13. Security in the Era of the Internet of Things. 10 a.m. ET. Webinar sponsored by the Information Security Forum. Free with registration.
- March 18. Cybersecurity: Collaborate, Comply, Conquer. Virtual conference sponsored by ISACA. Free with registration.
- March 20. 2014 Security Pressures Survey. 7 a.m. ET. Webinar sponsored by Trusteer.
- March 20. The Hidden Cost Of Customer Data: The More You Have, The More You Have To Lose. 2 p.m. ET. Black Hat Webcast. Free with registration.
- March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
- March 20-21. BSides Austin. WinGate Williamson Conference Center, Round Rock, Texas. $10 per day; students free.
- March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- March 29-30. BSides Mumbai.Mumbai World Trade Centre, Cuffe Parade, Mumbai. 5,000 Indian rupees.
- March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
- April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
- April 1-3. 13th European Security Conference & Exhibition. World Forum, the Hague, the Netherlands. Registration: ASIS members, 970 euros; non-members, 1170 euros.
- April 4-5. BSidesPR 2014. San Juan, Puerto Rico. Free.
- April 5. BSidesROC 2014. German House, 315 Gregaory St., Rochester, N.Y. Free with registration.
- April 5-6. BSides Orlando 2014. Wyndham Orlando Resort, Orlando, Fla. Ticket: $20.
- April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
- April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- April 8-9. IT Security Entrepreneurs' Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
- April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
- April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
- April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
- April 27-28. BSides Dubai 2014. Free.
- April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
- April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
- June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: thru June 2, $1,795; thru July 26, $2,195; after July 26, $2,595.
- Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
- Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
- Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
- Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: thru Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.