Apps on Google Play Can Secretly Subscribe Users to Premium SMS Services

Traditional advice is to use the official app stores to avoid mobile malware – but a Spanish security firm has discovered four apps available via Google Play that scam their users into covertly subscribing to premium SMS services and stealing money through their phone bills.

Luis Corrons, technical Director of Panda Security's PandaLabs research arm, blogged about the discovery yesterday. His team had found four particular apps (on dieting, baking, exercise and hairstyling) that all use a similar process to scam their users. The basic methodology is to trick the user into accepting terms and conditions well beyond those expected.

Using the diet app as an example, Corrons shows that users are presented with an invitation to view one of the diets. Clicking 'Enter' pops up a small window that asks the user to accept the app's terms of service – but those terms are separated from the pop-up, greyed out, and in tiny, unreadable text. They actually grant the app permission to subscribe the device to an external service.

Of course, it's not as simple as that. Firstly, the app 'steals' the user's phone number from WhatsApp (a popular app that requires the user's number and is statistically quite likely to be installed). It then covertly subscribes the user to a premium SMS service, waits for the confirmatory request from the service, intercepts it and responds in the affirmative – all without any notification to the user. The user eventually gets presented with a bill 'hidden' in the mobile phone charge for a service he didn't know he was using.

This type of scam is a growing problem. "I know that lots of people only ever give their bill a cursory glance or don’t even bother looking if it stays under a certain amount. I manage all the bills in our house after I discovered my missus had being paying insurance and tech support on a phone she hadn’t used for 5 years," a PandaLabs spokesperson told Infosecurity.

"Whether the cyber criminals choose to use the app as often as possible to rack-up their income knowing they will get caught quickly or the under-the-radar method [small amounts from a lot of victims] where they will try to go unnoticed depends the criminal’s choice," Corrons told Infosecurity.

He did some quick arithmetic on a projected volume of anything up to 1.2 million downloads of the four apps. "They charge a lot of money for premium SMS services, if we make a conservative estimate of $20 charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!" And this, of course, is just for the four apps that he found.

These particular apps were found in the Spanish Google Play. They contravene Google's new terms and conditions for Play, which insist on a single purpose and clear terms. How Google intends to enforce those terms remains to be seen; but Corrons confirmed to Infosecurity that these four have now been removed from Play.

Dyman & Associates Risk Management Projects: Feds Launch Cyber Security Guidelines For US Infrastructure Providers

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo.

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.

The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.

Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.

The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.

The framework is built on three basic components:

-         Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.

-         Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.

-         Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.

The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties. 

Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.

Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.

President Obama calls the latest cyber security framework "a turning point."

(Source: White House)

Although the framework is voluntary and will depend primarily on "enlightened self-interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.

But one White House official said during a briefing, "The goal is not to expand regulation."

Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.

Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.

Focus on resilience

In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.

Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.

President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.

Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."

Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.

A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Dyman & Associates Risk Management Projects: Cybersecurity Expert Offers Tips To Consumers

Hackers have become very sophisticated over the past few years. Not only the recent attack on Target was tremendous, but it was also rather unusual because hackers attacked the company through their point of sale equipment and not online.

Dr. Vijay Anand, assistant professor in the department of Engineering and Technology at Southeast Missouri State University, gave some advices on how consumers can protect themselves against cybercrime. He urges consumers to be more proactive regarding cybersecurity, even if it is always difficult to predict where an attack will occur.

“It is always a good idea to check back on your account in a timely manner. That’s the only recourse consumers have at this point, it’s to regularly check on their account,” Anand said.

As far as credit or debit cards are concerned, consumers should privilege banks who offer them cards with a chip in it, instead of only the usual magnetic strip. The chip has a microprocessor which has more security features and guarantees more secure transactions. It is better than the magnetic strip, according to Anand, because the active chip can prevent certain kinds of attacks.

Regarding the issue of identity theft, Anand suggests people to do pretty much the same as for bank account attacks.

“The only recourse that you have against identity theft is to check and monitor your credit report,” Anand said.

Individuals can also be more careful by not throwing away mail containing sensitive personal information. Individuals should shred potentially sensitive mail. Indeed, some attackers do dumpster diving which consists in going over somebody’s trash in search of useful information about that person. Also, Anand remind consumers that they should never answer an email asking to give away private information such as your social security number. If a bank or other entity needs it, they will not ask for it through email. Those are called phishing attacks and are incredibly common.

Concerning internet browsers, Anand said he would privilege Firefox and Google Chrome over other browsers as he considers those two more secure. But there are other ways to be careful when doing a transaction. He explained that people should make sure the web link contains the “https” prefix instead of the usual “http.”

“If it is https then it is a secure transaction, there is some authentification going on, so that is a secure connection that you have with a server. But if you have a basic http connection, it’s not secure.”

Anand insisted on this point, making clear that this small change can make a huge difference regarding to the security of the transaction.

“It the https sign is not there I would never put my username and password into that account because I have no idea whether it is a secure site or a non secure site,” Anand added.

It is difficult for small businesses to protect themselves because cybersecurity is expensive. What they can do, Anand advised, is to use platforms such as Google Pay or PayPal because they are trustworthy sites with a huge security capacity. To him, it’s definitely a better solution than any home built solution.

Hackers don’t really go after private individuals one at a time. It would take too long.

“What they typically do is that they will go and attack the database of a large corporation, which as information about millions of people, so that value is much higher,” Anand said.

So even if the targets are still primarily big corporations, one is never too careful and should follow some of those tips to make sure that their online transactions remain safe.

Dyman & Associates Risk Management Projects: Why Businesses Can’t Ignore US Cybersecurity Framework

Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.

The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.

Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.

First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.

Learn more about the Cybersecurity Framework.

The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.

A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.

Illustration of core functions and activities to support cybersecurity from NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0

Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.

"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.

But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.

Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.

Dyman & Associates Risk Management Projects: Scam court email alert

The Business Crime Reduction Centre (BCRC) is warning people about a new email scam that threatens victims with court action.

Fraudsters have been sending out legitimate looking spoofed emails designed to trick recipients into installing malware.

The emails say you have been notified and scheduled to appear for a court hearing and contains specific dates, times, locations and reference numbers.

It asks you to download a copy of the “court notice” attached. The dowloadable.zip file actually contains an. exe file (a file that executes when clicked) containing a virus.

The email has no connection to the Criminal Justice System and anyone receiving the email should not download any attachments or click any links. Report to Action Fraud by using the online fraud reporting tool.

You are likely to see some variations of this email, as it is easy for fraudsters to amend the details and continue targeting people.

BCRC’s cyber security specialist said “the email is difficult to block as the subject headers change frequently.”

He also said: “Provoking a paniked, impulse reaction has become a very common scam technique for cyber criminals. Opening the attachment allows the criminal to spy on the victim, use their computer to commit crime, or steal personal and financial information.”

Read more

Dyman & Associates Risk Management Projects: Target’s Cyber Security Staff Raised Concerns in Months Before Breach

Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.

At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.

The suggested review also came as Target was updating those payment terminals, a process that can open security risks because analysts would have had less time to find holes in the new system, the employee said. It also came at a difficult time—ahead of the carefully planned and highly competitive Black Friday weekend that would kick off the holiday shopping period.

It wasn’t clear whether Target did the requested review before the attack that ran between Nov. 27 and Dec. 18. The nature of the feared security holes wasn’t immediately clear, either, or whether they allowed the hackers to penetrate the system.

The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cyber security intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.

Target declined to confirm or comment on the warning.

The breach has caused headaches for Target customers who have dealt with fraudulent charges and have had millions of credit and debit cards replaced by issuers. Investigators and card issuers haven’t quantified damages from the attack.

Dyman & Associates Risk Management Projects: Preventing the Next Data Breach

The alarming discovery that hackers stole the credit card and personal information of tens of millions of Americans from Target’s computers is yet another reminder of human vulnerability in the digital age. The more practical and immediate lesson, however, is that retailers, banks and other corporations can do far more than they have done so far to protect customers from identity theft and financial fraud.

At last count, hackers had stolen the credit or debit card information of 40 million Target shoppers, as well as information like the names, addresses and email addresses of 70 million customers. Though the company has said little about how its system might have been compromised, experts say the attackers, who may have been based in Russia, inserted malicious software into Target’s poorly secured systems during the holiday shopping season.

It was the latest in a series of high-profile attacks against retailers like T.J. Maxx and companies that process card payments like Heartland Payment Systems.

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects Company Overview for security trends.]

Many of the stolen card numbers have been showing up on black markets where such information is traded. Some Target shoppers have had to deal with fraudulent charges. Experts warn that things could get worse when criminals start using the personal information they’ve stolen to try to commit identity theft by taking out loans and opening new credit card accounts in the names of Target customers.

Even as the investigation into the origins of the heist continues, Target and other companies must begin investing in better security measures to keep intruders out and start investing in software that will trigger alarms when it detects unauthorized access. A Verizon report on data breaches found that nearly four-fifths of intrusions in 2012 were of “low difficulty,” meaning hackers found trespass remarkably easy.

Companies also need to think carefully about what data they are collecting and storing. By keeping lots of sensitive information, they place themselves and their customers at considerable — and in some cases unnecessarily greater — risk than if they had deleted the data or never collected it. To take one startling example, security experts say there was absolutely no reason for Target to have stored the four-digit personal identification numbers, or PINs, of their customers’ debit cards. (Target says the codes were kept in an encrypted file, but hackers have broken open encrypted documents before.)

Retailers and banks can also reduce risk by moving away from cards that use magnetic strips, which are easily faked. Many countries in Europe, Asia and elsewhere have already replaced magnetic strips with chips, which are harder to duplicate. Chip-based cards also require customers to enter a secure code before they can be used. That’s partly why the United States accounts for nearly half of all global credit card fraud, even though it generates only about a quarter of all credit card spending. American retailers, including Target, have resisted (foolishly, as it turns out) the introduction of chip-based cards because they would have to invest in new equipment to handle them. (Target now says it supports chip-based cards.)

No security measure will ever rid the economy of theft and fraud completely. But there is evidence that companies could do a lot more to protect data. 

For more information on how to protect customers from identity theft and financial fraud, visit website @ Dyman & Associates Risk Management Projects.