Mobile Devices
“Mobile devices” were one of the hot topics of 2011 and are set to continue to be so in 2012. In an interview at the start of the year, media mogul Rupert Murdoch announced that everyone who could afford it would buy a tablet PC and that there would eventually be more than one billion of them worldwide.
Electronics are also popular Christmas gifts in 2011: According to a survey by high-tech association BITKOM, 13% of Germans want to give or buy a tablet PC while 16% want to give or buy smartphones.[1] In Germany alone, 2.1 million tablet PCs are expected to be sold, 162% more than in the previous year.[2]
Mobile devices equipped with the Android operating system have been popular for quite some time. In the third quarter of this year, the Android OS once again dominated the mobile all-rounder market with more than half the market share: 52.5% of all smartphones sold in this period had this operating system, ahead of Symbian (16.9%) and Apple (15.0%).[3] This now established leadership in customer preference is also a clear sign for malware writers that they can focus on this platform to benefit from wide-spread use of these devices.
Applications, or apps for short, provide the most convenient way for spreading malicious code. Everyone who has a Google-certified Android device can easily use his or her Google account to buy apps from the official Android market or alternatively download them from unofficial markets or websites. Miscreants hide their malicious code in apps that either look deceptively like popular apps or get customers interested in some other way. All it then takes is for the user to install the app on his or her mobile device to infect the phone. Once this has happened, the malware can damage the owner in many different ways: It can send SMS, sign up to premium SMS subscriptions, steel personal data, ‘root’ the phone, turn the device into a wire tap, and much more. The speed at which new malware functions are implemented is noticeably on the rise, whereas there are shockingly few updates available for the Android operating system at times. It has already been mentioned numerous times that Android might be the new Microsoft with regard to malware – the number of malware strains is on the rise but this is not stopping the rapid spread of the operating system.
At the moment, malicious applications are only installed by users themselves after they have been tricked, misled and convinced (social engineering). However, mobile devices offer so many technical possibilities that it is only a matter of time until we are faced with automatic attacks and infections where users are not actively involved. We expect such automated attacks to take place in the wild for the first time in 2012; probably in the form of drive-by infections triggered by websites visited, as is already common practice with computer malware. The respective proof of concept has been around since the start of the year.
Targeted Attacks
If these attacks were to succeed in the future, the “targeted attacks” chapter would also have to be extended because business people are particularly lucrative targets for cyber criminals and mobile devices are quite frequently used in a professional context. Attacking mobile all-rounders that are used in the professional field is particularly appealing since these devices can be used for central access to a lot of data.
2011 also saw a particular spyware that caused a stir because it was designed specifically for companies: DuQu. Even though it was regarded as Stuxnet’s successor by many, this spy tool is not designed to sabotage certain industrial control systems. The concept that attackers can gain access to critical control systems – albeit with great effort at times, is no longer fiction as has become apparent since the reports about Stuxnet in an Iranian enrichment facility or the Buschehr nuclear plant at the latest.
DuQu is different, but only in parts. DuQu is capable of spying on any type of company; hence it is more of a data thief than a specialised tool for destroying a target. Its objective is to collect as much data as possible and to prepare attacks like those by Stuxnet. It is also alarming to note that there are hints in the source code of DuQu that indicate that DuQu and Stuxnet were written by the same group. This is not only interesting for politically motivated groups. It is almost inconceivable to think of what could happen if criminals used such information for blackmail.
In November, even the FBI declared cyber security to be “a huge growth factor” and expected the size of its cyber division to double over the next 12 to 18 months. This estimate was triggered by hackers gaining access to the supply systems of three large US cities.[4]
Major Events
However, the increase in numbers of digital law enforcement personnel is not just due to the aforementioned targattacks (= targeted attacks) against companies. Major events are on the horizon and next year society and the media will focus on several major events worldwide:
- European Football Championship (Poland & Ukraine) – June 8 to July 1, 2012
- Olympic Games (England) – July 27 to August 12, 2012
- Presidential elections (USA) – November 06, 2012
The British Metropolitan Police alone has a budget of £600 million for identifying and tackling traditional as well as cyber threats.[5] The digital threats faced by the above-mentioned major sporting events include:
- Waves of spam and search engine manipulation for online fraud with fake or non-existent tickets or memorabilia
- Fake ticket shop websites for phishing crimes
- Attacks on official websites of the Olympic Games by potential protesters
- Setting up of specially prepared WLAN networks for visitors on site that can then be used to access data
- Close-range attacks on smartphones
The list of potential attacks is long. One should not forget about the targeted attacks on infrastructure for sabotage or blackmail, as already mentioned above.
In the lead-up, organisers work hard to be well-protected against cyber attacks with sufficient tests and independent exclusive networks for the Olympic Games.[6] For the British e-crime team, the fight against ticket fraud already started at the beginning of 2010.[7]
Attackers will also start focusing on the presidential elections in the USA. Conceivable scenarios include search engine manipulations leading users to seemingly official websites or shocking videos or exclusive photos (Black Hat SEO). Attackers often use this form of social engineering to use sensationalism to lure Internet users to websites and thus spread malicious code. Spam emails are also highly likely to contain similar messages asking their recipients to visited manipulated websites.
Another possible way to attempt fraud with regard to the elections that the whole world will be watching could be phoney offers to voters, offering them money if they vote for a certain candidate. All they allegedly have to do to receive the promised money is to provide banking and personal data; a classic phishing attack that could even influence the election if it is successful.
In the phishing area, computer users could be faced with a huge wave of highly sophisticated and targeted attacks as a consequence of the well-publicised, large-scale data thefts of 2011. The hacking of the Sony PlayStation®Network made headlines worldwide because the personal data of around 77 million customers was stolen. This was not the only data theft case but one of the biggest. The stolen data could now be used, for example, to generate emails that trick their recipients because they could be peppered with real data (salutation, address, etc.).[8] Conceivable fraud strategies could include alleged invoices, lottery wins and similar.
Banking Trojans
Phishing attacks still manage to frequently fool users by promising them money. However, money is also the main motivator for cyber criminals to engage in their illegal activities. One of the most popular ways of getting money in 2011 was to use banking Trojans and there are no signs of this trend reversing as the number of online banking users – similar to the number of mobile device users – is constantly on the rise. Banking Trojans in particular are a threat to be taken seriously since a successful attack often results in significant financial loss for the victim. According to Eurostat, 43% of Germans used online banking last year. Hence, online banking is very popular and the days when it was used by only a small group of technically advanced users are long gone. For 2010, the BKA (German Federal Criminal Police Office) reported 5,331 cases amounting to €21.2 million in damages. However, there are assumed to be a large number of unreported cases since “only approximately 40% of actual cases” are reported to the BKA.[9]
Virtual Money
2012 also offered new opportunities for acquiring virtual money. Fraud involving money exists thanks to web offers like games or virtual communities in which real money can be used for in-game purchases and extra options. In this large segment, there are many different and sophisticated attacks (phishing and malware) designed to relieve users of their virtual dollars, gold coins or similar. The different virtual currencies have an actual monetary value.
BitCoin is one of the most popular virtual currencies. To get BitCoins you can, for example, make your computer and its computing power available to external computing operations. A free and non-profit project that uses such an approach to computing is the SETI@home project of the University of California. However, there is no remuneration for this project. Other computing projects do pay for the computing operations performed and this basis is now being used to create miner botnets. Criminals infect computers with a miner bot which then lets other devices work on the projects in the name of the attacker. Perpetrators can later convert the virtual currency thus obtained into real money. Even local Internet routers could be profitably integrated into such a miner botnet. The computing power is much lower but most of them are seldom updated or maintained; they are set up and then usually run 24 hours a day while being connected to the internet.
Internet-capable Electronics
Aside from classic computer strategies, we will look at internet-capable consumer electronics such as web-enabled TVs or modern gaming consoles with internet-connectivity. The graphics processors installed in these devices are very powerful and can be used for ‘mining’ virtual currency among other things. If attackers succeed in installing malicious code on these relatively unprotected devices that are not updated very often they can abuse the high computation power of the graphics units.
[1] http://www.bitkom.org/70427_70422.aspx
[2] http://www.bitkom.org/de/presse/8477_70631.aspx
[3] http://www.gartner.com/it/page.jsp?id=1848514
[4] http://www.information-age.com/channels/security-and-continuity/news/1676243/hackers-accessed-city-infrastructure-via-scada-fbi.thtml
[5] http://news.sky.com/home/uk-news/article/15579707
[6] http://sports.espn.go.com/espn/wire?section=oly&id=7084244
[7] http://www.itpro.co.uk/619900/met-police-start-to-combat-2012-olympics-cybercrime
[8] http://blog.gdatasoftware.com/blog/article/sophisticated-spam-mails-after-data-leak-in-company-database.html
[9] http://www.bka.de/nn_224082/SharedDocs/Downloads/DE/Publikationen/JahresberichteUndLagebilder/Cybercrime/cybercrime2010,templateId=raw,property=publicationFile.pdf/cybercrime2010.pdf
