Mobile Ransomware Has Mushroomed: Report

The number of mobile ransomware victims across the globe has increased fourfold compared to a year ago, suggests a Kaspersky Lab report released last week.

Kaspersky software protected 136,532 users targeted by ransomware from April 2015 to March 2016 — up from 35,413 in the year-ago period, the company said.

“The growth curve may be less than that seen for PC ransomware, but it is still significant enough to confirm a worrying trend,” the report notes.

It identifies several factors contributing to the growth of ransomware in general:

  • First, people are willing to pay the ransoms.
  • Second, the value of the information stored on digital devices is so high now that paying a ransom to recover it is more cost-effective than not paying the ransom.
  • Third, law enforcement is having difficulty responding to the problem.
  • Fourth, new payment tools make it easier for extortionists to collect ransoms.

Risky Business

Collecting money from victims always has been problematic for online criminals, the report notes.

Some criminals have tried to use legitimate systems to harvest their money.

“The problem for criminals is that legitimate payment systems, reacting to the rise in fraudulent payments, have started to track and block suspicious transactions, making money transfer a far more risky business for cyber-crooks,” the report explains.

Others have tried to use underground or semi-legal payment systems with equally unsatisfactory results.

“With underground and semi-legal payment systems the problem is that no guarantees are given to the users of such systems (no refunds, no protection from other criminals) and the privacy of these transactions is also always questionable,” notes the report.

However, with the rise of cryptocurrencies, like bitcoin, the payment landscape changed. For the first time, information highwaymen had a dependable way to obtain ill-gotten gains.

“Criminals have started to exploit the advantages crypto-currencies over other type of e-currency: anonymity and a distributed nature, which both allow them to hide fraudulent transactions and make it impossible for a lawenforcement agency to do anything… .” the report explains.

“These features help to support individual privacy rights but, unfortunately also give cybercriminals a very reliable and secret payment tool,” it continues. “The main outcome of this is that ransomware has become the new black in the underground.”

Encryption vs. Locking Screen

Although some mobile ransomware strains emulate their personal computer counterparts and encrypt all the data on a phone, that’s not the typical MO for wireless extortionists.

“With a PC, the ransomware encrypts your files, encrypts your backup and leaves everything as garbage on your machine and then [demands] a ransom payment,” explained Ryan Naraine, head of the global research and analysis team at Kaspersky Lab.

“On mobile, in some cases they’re doing encryption, but in most cases, they’re just locking the screen and not allowing you to get into the phone at all,” he told TechNewsWorld. “It’s the same model. You make the end user completely desperate to get access to his files, and that desperation leads to paying the ransom.”

However, if a mobile user has a backup of the phone’s data or isn’t concerned about preserving the data on it, then the ransomware can be defeated by doing a hard reset of the phone.

Protect Yourself

Following are Naraine’s tips for users who want to reduce the risk of being infected with ransomware:

  • Never download apps from anywhere but the Google Play store.
  • Patch Android and applications as soon as upgrades are available.
  • Use common sense when granting permissions to an application.

“If you download a flashlight app,” Naraine said, “and it’s asking for access to your contact list, that should raise a red flag to a user.”

IRS Ditches PIN Program

After shutting down its Electronic Filing PIN program earlier this month, the IRS last week announced that it’s readying a more secure solution for next year’s tax season.

The solution includes expansion of the agency’s pilot program to add 16-digit verification codes to W-2 forms.

Although the IRS originally had planned to shutter its Electronic Filing PIN program later this year, it decided to act earlier because of stepped-up attacks on the system in recent weeks.

The service earlier this year revealed that tax thieves had used stolen Social Security numbers and a program to guess PINs to compromise 100,000 taxpayer logins.

Still, the IRS stopped more fraud this year than last — US$1.1 billion, compared to $350 million.

IRS Confidence Shaky

The IRS’ decision to kill its PIN program ahead of schedule may embolden attackers.

“This is an admittance of failure and a step backward for usability,” said Rami Essaid, CEO of Distil Networks.

“It signals that they are not confident in their security posture and will likely lead the attackers to continue to explore other vulnerabilities,” he told TechNewsWorld.

The PIN system was flawed from the start, Essaid maintained. “They did not implement an effective bot detection and mitigation service, nor did they instrument their Web application with the proper security logic to identify and track automated brute force and credential cracking attacks.”

Any efforts by the IRS to create a more secure PIN system will need to recognize the realities of the current threat environment.

“Authentication has always been a significant target for attack in IT,” explained Tim Erlin, director of IT security and risk strategy at Tripwire.

“When an organization offers a service to the public that’s protected with some kind of authentication, it’s going to be a target,” he told TechNewsWorld. “Breaches are a fact of life these days, and every organization needs to have a response plan in place before they are affected.”

Breach Diary

  • June 26. A hacker with the handle “thedarkoverlord” has posted for sale on the Real Deal marketplace some 655,000 records from three health care organizations in the United States, Motherboard reports. Motherboard verified a small sample of the data the hacker provided to it, and it appeared to be genuine.
  • June 27. Hard Rock Hotel & Casino in Las Vegas announces customers who used their payment cards between October 27 and March 21, 2015, are at risk from malware that scraped information from the point-of-sale system used by some restaurants and retail outlets at the facility.
  • June 27. Uber withdraws subpoena of information related to a data breach at Uber in which employees of competitor Lyft allegedly were involved.
  • June 27. Ten percent of those affected by data breach at federal Office of Personal Management involving records of 21.5 million people have yet to be notified they were victims, The Washington Post reports.
  • June 28. Blanco Technology Group releases research showing 67 percent of second-hand hard drives sold on eBay contain personally identifiable information and 11 percent contain sensitive corporate data.
  • June 28. UK Information Commissioner’s Office reports it nearly doubled the fines collected from violators of country’s data protection rules to Pounds 2 million in 2015 from Pounds 1.1 million in 2014.
  • June 28. Noodles & Co. announces a compromise of its point-of-sale systems has placed at risk payment card information of customers who did business with the fast-casual restaurant chain between January 31 and June 2.
  • June 28. Pandora advises its members to reset their passwords after finding some of their passwords in data breach data from other services posted to the Web.
  • June 29. Massachusetts General Hospital in Boston begins notifying some 4,300 patients that their personal information is at risk following the discovery of a data breach at a third-party provider, Patterson Dental Supply.
  • June 29. Credit Union National Association announces it is joining a class action lawsuit against Wendy’s over a data breach of the point-of-sale systems at some of its fast food restaurants.
  • June 29. A copy of a purported terrorist database maintained by Thomson Reuters has been posted online where anyone can look at it, The Register reports. The World-Check database reportedly is used by 49 of the world’s 50 largest banks and 300 government and intelligence agencies to block those on the list from accessing the global banking system.
  • June 29. Credentials, profiles, and more than half a million messages of nearly 150,000 users of Muslim Match have been posted to the public Internet, Motherboard reports, noting that a test of email addresses randomly selected from the cache of data suggests it is current and genuine.
  • July 1. Thomas White, who is known by the handle “Cthulhu,” posts to Internet a torrent file containing 427 million passwords belonging to some 360 MySpace users stolen in a 2013 data breach.
  • July 1. Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to pay $650,000 to settle enforcement action by U.S. Department of Health and Human Services after theft of a mobile device compromised health information of hundreds of nursing home residents, Healthcare Finance News reports.

Upcoming Security Events

  • July 14. What’s in an Email? Your Attacker’s Footprint, for Starters. 2 p.m. ET. Webinar by RiskIQ. Free with registration.
  • July 16. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free with advance ticket.
  • July 23. B-Sides Asheville. Mojo Coworking, 60 N. Market St, Asheville, North Carolina. Cost: $10. July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before July 23, $2295; before Aug. 5, $2,595.
  • August 2-3. B-Sides Las Vegs. Tuscany Suites, Las Vegas, Nev. Registration: limited free badges at door.
  • August 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Sept. 7. FTC Fall Technology Series: Ransomware. 1 p.m. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Sept. 8. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Cincinnati, Ohio. Registration: conference pass, $195; SecureWorld plus, $625; exhibits and open sessions, $30.
  • Sept. 10. B-Sides Augusta. J. Harold Harrison MD, Education Commons, 1301 R.A. Dent Blvd., Augusta, Georgia. Tickets: $20.
  • Sept. 14-15. SecureWorld Detroit. Ford Motor Conference and Event Center, 1151 Village Rd., Dearborn, Michigan. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 15. B-Sides St. John’s. Capital Hotel, 208 Kenmount Rd., St. John’s, Newfoundland, Canada. Free with registration.
  • Sept. 17. B-Sides St. Louis. Moolah Shrine, St. Louis, Missouri. Free.
  • Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, N.Y. Registration: $250.
  • Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
  • Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
  • Oct. 18-19. Edge 2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before August 15, $250; after August 14, $300; educators and students, $99.
  • Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
  • Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before September 3, Pounds 1199 with VAT; before October 29, Pounds 1559 with VAT; after October 28, Pounds 1799 with VAT.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels