AVG Report Highlights Clever Criminals, Facebook Follies, & Mobile Mistakes
Despite firewalls, virus scanners, and 15-character passwords, we still face a risk that someone will try to phish or scam information that unlocks financial doors. Itâ€™s even happening in online communities where we feel safe. And now itâ€™s not just our computers. Mobile devices have become the new gateway for savvy criminals who want your money. AVG addressed these realities and other online security concerns in its third quarter Community Powered Report.
The Price for Digital Currency
Online gaming communities with their own digital currency like Zynga zCoins or Facebook Credits are firmly in the crosshairs of enterprising thieves. These digital economies are worth real money (Bitcoinâ€™s estimated market capital hit $63,336,546 in August 2011), and, according to AVG, theyâ€™re just too tempting for the pickpockets to ignore.
So whereâ€™s the vulnerability? These systems can still be gamed just like their more traditional counterparts, and it can be incredibly difficult to trace. In the case of Bitcoin, for example, there are no intermediaries. Designed to allow money transactions without banks or other commercial entities, Bitcoin provides users with a digital wallet that lets people buy and sell online via their Bitcoin â€œwallet.â€
A decentralized system, a Bitcoin wallet can reside on a personal computer or on a third-party server and transactions happen via a peer-to-peer network. So what happens if a thief dips his hand in your Bitcoin wallet? Â As AVG describes it, think of cash in your physical wallet. If someone steals that cash what are the odds that youâ€™ll get it back? Bitcoin faces a similar problem. After the transaction receives approval reversal isnâ€™t an option.
Even if youâ€™re not actively using Bitcoin, malware still exists that can use your computer to do the dirty work running in the background. Like other malware it frequently gets in via other application installations. Actual Bitcoin users will feel the pinch if a Trojan gets installed that allows a remote user to control a Bitcoin client. Since accounts are anonymous the thieves can complete the transactions and all youâ€™ll see is an address of an approved transaction that you canâ€™t reverse.
First and foremost, if you use a digital wallet, keep it secure. If youâ€™re using digital currency, use it with caution and be aware that there are people looking to pick your wallet without you ever leaving the house. And, since itâ€™s coming from AVG, keep your security applications up to date.
Facebook on the Front Lines
Itâ€™s not a surprise given Facebookâ€™s popularity and size that itâ€™s a target for the unsavory. AVG identified two particular methods this quarter that have gained traction: Clipjacking and Survey Scam. In Clipjacking, the goal is to make you hit the play button on the funniest (why do the criminals always use humor to entice?) video clip. Clicking that button can trigger the system to show that you â€œlikeâ€ the clip plus share it with your Facebook friends. So how do people get tricked?
The attack involved placing a transparent image file (GIF) over a video clip, this GIF file and the hidden code can go unnoticed by the majority of Facebook users. The user is tricked into believing that they are pressing the â€œplayâ€ button but actually clicking on the transparent GIF which executes the code.
But thatâ€™s not enough for the scammers. Youâ€™ll also be prompted â€œto agree to an automatic $10 monthly mobile phone charges.â€ Avoiding the charges alone doesnâ€™t prevent problems. The videos are rarely about kittens and puppies, so you end up sharing something that may ultimately prove embarrassing, depending on whom you have in your network (think your boss, your momâ€¦you get the idea). Here are a few of the Clipjacking videos AVG has noticed so far this year:
- Â â€œWho is looking at your profileâ€
- Â â€œYou wonâ€™t believe what this teacher did to his studentâ€
- â€œLily Allen shows her breasts on British televisionâ€
For the people who didnâ€™t avoid the phone scam, now the criminals have their phone number and authorization to charge $10. Assuming even a 1 percent success rate (6,000 Facebook users) per day, AVG estimates that the take could easily reach over $20 million a year and all because you couldnâ€™t resist watching that video about Lily Allen. Think twice before you click and make sure to check your phone bill for suspicious charges.
Sucked Into the Blackhole
An attack toolkit, Blackhole remains the most prevalent toolkit based on reported detections by AVGâ€™s community (34 million in Q1 2011). Like the majority of malware, it looks for holes in legitimate software, security bugs that leave some of the popular software vulnerable. Based on the rate and pattern of detections, AVG notes â€œthat there are more traps on the web, but fewer victims falling into them.â€
Showing an entrepreneurial bent, the most talented of these programming criminals found that they could sell their code to the less skilled. Once that step met with success, they moved on to leasing their code, offering annual licenses for $1500 per year and other ala carte options to appeal to would-be scammers.
Blackhole has gained traction fast since its appearance in 2010 because itâ€™s difficult to detect, includes a statistical console, and offers users an online virus scanning service. So what does the end user see? When a website falls to the attack, visitors get pointed to another page that contains the Blackhole code, often a 404 â€˜page not found.â€™ After the code is installed, the page closes and the compromised computer starts communicating with a server that downloads more files, including key loggers, Trojans, bots, and fake antivirus applications.
Going Mobile Comes with Risks
Remember that last app you downloaded to your Android? Did you get it from the official Google store (although it has problems, too) or did it come from somewhere else? As Android took over market share to become the most popular mobile OS, it also became a target for cyber crime, according to AVG.
In this instance, the malicious code comes in a tempting package: theyâ€™re made to look like legitimate applications. Used to send personal data from your phone to remote servers, AVG analyzed one package that originated in China that actually recorded conversations, SMSs, and GPS data to your phoneâ€™s memory card then sent those digital files to a server.
Keeping your device secure is simple, but not necessarily easy. You canâ€™t assume that an app in the official Android Marketplace is secure. Youâ€™ve got the check out the developer, read the reviews, and look carefully at the permissions that the app requests. Also be on the lookout for your phone behaving oddly and watch for unexplained charges on your phone bill since some malware can sign you up for expensive services without your knowledge.
The Bad Guys Want Your Money
The price we pay for the benefits of living online includes being aware of the risks and protecting our weak points. Reports from AVG and other security companies make it clear that if we donâ€™t, someone will be waiting to take advantage. It may feel like a hassle at times to run the updates and to do the research, but what does it cost you in lost time and money if something gets through?
What tools and resources are you using to protect yourself online?