Online malicious activity was a major headache in 2010, and so far, 2011 is no different: We’ve seen scams and malware on Twitter, Facebook, and the Android Market, as well as a rise in politically motivated online attacks. But that’s no surprise to security experts such as Graham Cluley, senior technology consultant for security firm Sophos. Cluley says that Sophos analyzes about 95,000 pieces of malware every day that is either brand-new or a variant of an older attack.
The bad guys are hard at work figuring out new ways to infect your system. The good news is that the latest antivirus programs do a better job than ever at detecting suspicious activity before it can damage your computer.
But security software can’t always protect you; sometimes the best defense is a dose of common sense and a little bit of knowledge about what to watch out for. Whether it’s fake antivirus scams, malware on social networks, or good old-fashioned e-mail attachments loaded with viruses, it pays to be on your toes so you don’t end up becoming a victim to identity theft, a raided bank account, or even a home invasion.
So here’s a look at 2011’s five big security threats, and the steps you can take to avoid becoming a victim.
As recently as March 1, more than 50 third-party applications on Google’s official Android Market contained a Trojan called DroidDream. When you run a DroidDream application for the first time, the malware gains administrator access over your phone without your permission, according to mobile security firm Lookout. That means it could download more malicious programs to your phone without your knowledge and steal data saved on your device.
Google was able to stop the DroidDream outbreak by deleting the bad apps from the Market and remotely removing malicious apps from Android users’ devices, but it’s only a matter of time before the next outbreak occurs.
And malicious apps on the Android Market aren’t the only way that malware authors can target phones: A recent Android malware outbreak in China spread through repackaged apps distributed on forums or through alternative app markets.
The threat of malware, coupled with other security threats (such as data leakage from a lost phone) may soon impact your ability to use personal devices at work, according to Andrew Jaquith, chief technology officer of Perimeter E-Security. Companies may begin to set some serious ground rules for putting company data on personal mobile devices by enforcing “policies for passwords, device locking, remote wipe, and hardware encryption,” Jaquith says.
Protect yourself: You can’t trust that all apps on the Android Market are malware free. Make sure you read app reviews in the Market and on reputable app review sites such as PC World’s AppGuide. And avoid installing any applications you get from unknown sources. That .apk file may be titled “Fruit Ninja” but in reality is a Trojan horse waiting to be unleashed. Don’t forget that a number of mobile antivirus apps are available for Android, and it may be wise to have at least one installed on your phone.
Also, read an app’s permissions screen carefully–it details what kinds of data an Android application can access (Google makes it mandatory for developers to have a complete list of permissions for every feature that an app has access to on your phone). You can find this list on every app’s page in the Android Market (it appears right after you tap the button to download an app). See if you can uncheck undesirable permissions. If you’re downloading a wallpaper application, for example, chances are it doesn’t need to know your exact location.
iOS users aren’t off the hook, either: Some bad actors have slipped by Apple’s censors in the past despite the company’s third-party app-vetting process. Over the summer, for example, a flashlight app that had hidden functionality got approved to the App Store. The actual risk may be low, but it isn’t impossible for a seemingly legit app to have some hidden, malicious capabilities.
Threat 2: Social Network-Based Scams
Social networks such as Facebook and Twitter may be a great place to connect with friends, but they are also a breeding ground for malicious activity. Cluley says some of the most rapid growth in online attacks comes from social networks. In November, antivirus maker BitDefender made a similar statement, saying 20 percent of all Facebook users are active targets of malware.
Social network scams often take the form of phishing attacks that try to lure you in with photos or videos, and harvest your personal information or Facebook login–or worse, infect your PC with malware–along the way. Often, these links will come from Facebook friends who fall victim to these scams. You could also run across rogue Facebook applications that try to access your Facebook data and that of your friends.
While it’s probably no big deal if scam artists find out what your favorite movies or quotes are, your profile may contain critical data–such as your date or place of birth, cell phone number, and e-mail address–that can be used to build a profile about you and even steal your identity. Such bits of information may be the final data point a bad actor needs to impersonate you online.
You could even become a specific target for criminals through social networks. In September, three young men ran a burglary ring in Nashua, New Hampshire, by looking at Facebook postings about people going out and then targeting homes they believed were likely to be empty. Police said they recovered over $100,000 in stolen property after cracking the ring, according to New Hampshire’s WMUR-TV 9.
Protect yourself: Be wary of any social networking postings that offer you the chance to see a cool photo or video or making claims you know to be untrue–such as a recent Twitter scam that offered to let you see who is viewing your profile. Often, these scams can be stopped by just revoking the app in your security permissions and changing your account password. Another smart thing to do, according to Cluley, is to stop and ask yourself why a Facebook application wants to post messages on your wall or access your friends list. If you can’t think of a good reason the app would need to do this, perhaps it’s not worth authorizing.
Threat 3: Fake Antivirus
What it is: Although they’ve been around for a few years now, fake antivirus scams are on the rise, according to Cluley. In the last eight months, Sophos says, it has analyzed more than 850,000 instances of fake antivirus. Also known as “scareware,” these scams start by convincing you to download a free antivirus program, sometimes appearing to be software from a reputable security company. Then the software claims your computer is under threat from a virus and you can save your system by buying a “full” version of the antivirus program for a one-time fee.
Once you do that, however, not only have you allowed more potential malware onto your computer, but you may have also handed over your credit card credentials to identity thieves. At that point, the bad guys can drain your bank account or steal your identity.
The irony of all this, says Cluley, is that these scams owe some of their success to the fact that we are becoming more aware of computer security. Since we want to protect ourselves as much as possible from malware threats, we become easily seduced by software promising enhanced security.
Protect yourself: First and foremost, make sure you are running a security program that’s current–especially one that effectively blocks brand-new malware (see our reviews of the latest security suites and antivirus programs for which to buy). And never download a security program from a pop-up window you see online or from a third-party site.
Threat 4: PDFs
It may be the oldest online scam in the book, but e-mail loaded with malware attachments is still a big problem despite a high degree of awareness and robust antivirus scanning in Webmail clients such as Gmail and Yahoo Mail. Cluley puts the number of malware-related e-mails sent every day in the “millions,” and says that “more and more spam is less about touting Viagra or fake degrees, but [is] turning malicious in nature.”
PDF documents appear to be a prime method for these attacks, according to a recent report by MessageLabs, a division of Symantec. “PDFs are potentially one of the most dangerous file formats available and should be treated with caution…Because it is significantly easier to generate legitimate and concealed malicious content with PDFs,” MessageLabs said in its February 2011 Intelligence Report (a PDF link–oh, the irony).
In 2010, 65 percent of targeted e-mail attacks used PDFs containing malware, up from 52.6 percent in 2009, according to MessageLabs, which further predicts that by mid-2011, 76 percent of targeted malware attacks could be using PDFs as their primary method of intrusion.
It’s not just businesses that are targets of e-mail scams either. Sophos recently discovered an e-mail scam in the U.K. purporting to offer an $80 gift certificate to customers of a popular pet supply retailer.
Protect yourself: Make sure you are running an antivirus program and that it’s up-to-date. Also, never open an e-mail attachment that you weren’t expecting.
Last but not least, make sure that you keep Adobe Reader (or the PDF reader of your choice) up-to-date; Adobe regularly releases security updates that fix known flaws. The new Adobe Reader X has an updated security architecture that can better protect you against malicious PDF attacks.
Threat 5: War Games
State-sponsored malware attacks, industrial espionage, and hacktivism are on the rise, according to Perimeter E-Security’s Jaquith. They may not be threats that affect everyone, but if you manage security for a business, they are the sorts of issues you should be paying attention to.
The hacktivist group Anonymous, for example, grabbed headlines this year for mounting attacks in defense of whistle-blower site WikiLeaks, and attacking government Websites in support of recent protests in Egypt, Tunisia, and Libya. The group also leaked a cache of e-mail messages from a security researcher who was trying to identify Anonymous members. “Whether it’s WikiLeaks, Anonymous, or a Chinese or Russian attacker, theft of industrial secrets is shaping up to be one of the key issues of 2011,” Jaquith says in a statement.
Protect yourself: If you are trying to safeguard your company’s secrets or are worried about data leaks, monitor your company’s network traffic for suspicious activity and conduct regular reviews of employee data access privileges.
The Internet may be filled with malware and potential threats, but that doesn’t mean you need to panic. Keep your guard up, use common sense, and keep your software up-to-date, and you should be able to reduce your risk of falling victim to attack.