Gallery

Five hidden security threats

Posted on 29 May 2012 at 09:00

Davey Winder reveals how some security threats are not so easy to spot

Not all IT security threats are as obvious as a badly written email from a bank you don't have an account with, asking you to change your password via a poorly executed clone website.

The most dangerous threats to your security are those which you don't suspect of posing any kind of risk to your data or finances at all.

1. QR codes

Similar in concept to a barcode, QR codes are a marketing fad that are popping up everywhere: newspapers and magazines, on posters, packaging and even buses.

Scan them with your smartphone or tablet camera and they fire up your web browser and transport you straight to whatever web page they happen to be linked to. Usually this will be a promotional exercise, taking you to some product offer or other, but QR codes are just a black and white jumble that give no indication of where you will actually end up or what is waiting for you there.

Scan a rogue code and you could find yourself transported to an infected page that downloads malware to your device and helps itself to your SMS messages, emails and call logs, for example. QR codes present one of the biggest hidden security threats precisely because genuine marketing campaigns rely upon the curiosity factor to get consumers to scan them; don't think for a moment that the bad guys have failed to notice this.

2. Malvertising

Although you could say that rogue QR codes are a form of malvertising, the actual malvertising threat is far more widespread. Although Google has done much to weed out the malvertising threat, courtesy of constant algorithm updates and tweaking of the human processes to spot rogue adverts that appear on the search engine, the problem still remains. Not least because malvertisers have discovered the power of social networks and new advertising distribution streams.

Facebook and Spotify have both fallen victim to such attacks

The scam itself is a simple one: just place what appears to be a genuine advert on a website, but then alter the advert code so that it exploits browser flaws to enable the injection of malware onto the unsuspecting users' computers when they click through. Facebook and Spotify have both fallen victim to such attacks.

The reasons such malverts are successful is not because they themselves are advertising a trusted brand, but because they are advertising on a trusted brand.

3. SMS Trojans

Your smartphone is an increasingly attractive target for the bad guys. Actually, let me correct that statement: your Android smartphone is an increasingly attractive target for the bad guys.

If Android is the cybercrime platform of choice, then SMS Trojans are the favoured weapon. There have been plenty of reports of infect apps appearing on the official Google marketplace for Android apps, but plenty more within unofficial app distributions channels.

More often than not these come bundled with what appear to be legitimate versions of well-known games, promising a free, cut-down version to tempt people into downloading them. The payload is a Trojan which is attached and installed alongside the game, and sends text messages in the background to premium rate SMS numbers operating as a money laundering exercise.

More often than not, victims are blind to the battery draining faster than usual and are only made aware of the infection when the first bill arrives.

4. Obfuscated URLs

Those who would steal your data have long since focussed on making it harder for you to see where the links you are clicking are actually going to take you. Disguising URLs has been a de facto basic within the phishing community since the year dot.com, but browser client developers and security vendors have made this increasingly hard to accomplish over the years, and user education has played its part in reducing the impact of the obfuscated URL.

And then along came Twitter with that 140 character cut-off and legitimate URL shortening services, such as bit.ly, became hugely popular. Not only popular with genuine users, but the cybercriminals using Twitter as well.

Unless you are using a Twitter client or add-on which exposes the full address as you hover over the link, you too could get caught out by this (very literally) hidden security threat.

5. Firesheeping

Firesheep was originally the name of a specific Firefox browser client plugin which made it really easy to snoop on people who were using public Wi-Fi networks to make unsecured connections to online services such as email, social networks, banking and other web-based activity.

The term has now become pretty much generically used for any sniffer tool that enables "sidejacking", or session hijacking to be more formal, by capturing a copy of the cookies left on your computer during your session and then using these to continue that session (posing as you) after you have finished and left.

Want to avoid becoming yet another firesheeped victim of the packet sniffing chancer? Either avoid those free Wi-Fi hotspots like the plague, or if you must use them ensure you only do so with secured HTTPS connections.

Author: Davey Winder