Five hidden security threats
Posted on 29 May 2012 at 09:00
Davey Winder reveals how some security threats are not so easy to spot
Not all IT security threats are as obvious as a badly written email from a bank you don't have an account with, asking you to change your password via a poorly executed clone website.
The most dangerous threats to your security are those which you don't suspect of posing any kind of risk to your data or finances at all.
1. QR codes
Similar in concept to a barcode, QR codes are a marketing fad that are popping up everywhere: newspapers and magazines, on posters, packaging and even buses.
Scan them with your smartphone or tablet camera and they fire up your web browser and transport you straight to whatever web page they happen to be linked to. Usually this will be a promotional exercise, taking you to some product offer or other, but QR codes are just a black and white jumble that give no indication of where you will actually end up or what is waiting for you there.
Scan a rogue code and you could find yourself transported to an infected page that downloads malware to your device and helps itself to your SMS messages, emails and call logs, for example. QR codes present one of the biggest hidden security threats precisely because genuine marketing campaigns rely upon the curiosity factor to get consumers to scan them; don't think for a moment that the bad guys have failed to notice this.
Although you could say that rogue QR codes are a form of malvertising, the actual malvertising threat is far more widespread. Although Google has done much to weed out the malvertising threat, courtesy of constant algorithm updates and tweaking of the human processes to spot rogue adverts that appear on the search engine, the problem still remains. Not least because malvertisers have discovered the power of social networks and new advertising distribution streams.
Facebook and Spotify have both fallen victim to such attacks
The scam itself is a simple one: just place what appears to be a genuine advert on a website, but then alter the advert code so that it exploits browser flaws to enable the injection of malware onto the unsuspecting users' computers when they click through. Facebook and Spotify have both fallen victim to such attacks.
The reasons such malverts are successful is not because they themselves are advertising a trusted brand, but because they are advertising on a trusted brand.
3. SMS Trojans
Your smartphone is an increasingly attractive target for the bad guys. Actually, let me correct that statement: your Android smartphone is an increasingly attractive target for the bad guys.
If Android is the cybercrime platform of choice, then SMS Trojans are the favoured weapon. There have been plenty of reports of infect apps appearing on the official Google marketplace for Android apps, but plenty more within unofficial app distributions channels.
More often than not these come bundled with what appear to be legitimate versions of well-known games, promising a free, cut-down version to tempt people into downloading them. The payload is a Trojan which is attached and installed alongside the game, and sends text messages in the background to premium rate SMS numbers operating as a money laundering exercise.
More often than not, victims are blind to the battery draining faster than usual and are only made aware of the infection when the first bill arrives.
4. Obfuscated URLs
Those who would steal your data have long since focussed on making it harder for you to see where the links you are clicking are actually going to take you. Disguising URLs has been a de facto basic within the phishing community since the year dot.com, but browser client developers and security vendors have made this increasingly hard to accomplish over the years, and user education has played its part in reducing the impact of the obfuscated URL.
And then along came Twitter with that 140 character cut-off and legitimate URL shortening services, such as bit.ly, became hugely popular. Not only popular with genuine users, but the cybercriminals using Twitter as well.
Unless you are using a Twitter client or add-on which exposes the full address as you hover over the link, you too could get caught out by this (very literally) hidden security threat.
Firesheep was originally the name of a specific Firefox browser client plugin which made it really easy to snoop on people who were using public Wi-Fi networks to make unsecured connections to online services such as email, social networks, banking and other web-based activity.
The term has now become pretty much generically used for any sniffer tool that enables "sidejacking", or session hijacking to be more formal, by capturing a copy of the cookies left on your computer during your session and then using these to continue that session (posing as you) after you have finished and left.
Want to avoid becoming yet another firesheeped victim of the packet sniffing chancer? Either avoid those free Wi-Fi hotspots like the plague, or if you must use them ensure you only do so with secured HTTPS connections.
Author: Davey Winder
Don't Blame the QR
Many/most QR scanners (all that I've come across - and I've come across a lot) ask permission before opening a web page. It's not QR itself that's a security risk. The problem is one of user habits. Clicking on any old link in an email is to be discouraged, as is going to a short code if you're not sure of the destination.
By PaulLSStokes on 7 Jun 2012
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Yahoo seeks "cool" with Tumblr purchase
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- McAfee: smart homes need security
- Firefox 21 lands with "health report" and Android update
- Windows Blue (8.1): release date, screenshots, features
- McAfee LiveSafe protects PCs, mobiles and the cloud
- Android boss: Samsung's not a problem for Google
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones