The Cocoon Blog
The Internet as it should be: private, secure and virus free

With the web picking up traction in the distribution of malware – cybercriminals continue to focus their efforts on exploiting the weakest link. From irreversible malware to premium attack exploit toolkits – the threat landscape of 2013 will continue to amp up the security battleground…

1- More browser-infecting malware

With so much sensitive and personal data passing through web browsers, WatchGuard predicts that Man-in-the-Browser (MitB) attacks can anticipate a steep rise in 2013.

Now, a new type of malware has emerged. Sometimes called a Man-in-the-Browser (MitB) or browser zombie, it arrives as a malicious browser extension, plugin, helper object, or piece of JavaScript. It doesn’t infect the whole system; instead it takes complete control of a browser and runs whenever the victim surfs the web.

2- More Android mobile madware

Researchers at Georgia Tech Information Security Center (GTISC), state that malware writers have moved from taking a casual interest in mobile platforms to trying to create a viable business model, especially focusing on devices based on the Android operating system.

 -Malicious and privacy-undermining applications for Android will continue to grow quickly, as cybercriminals use toll fraud and other mechanisms to turn compromised devices into cash sources.

-Mobile wallets will face further scrutiny and slow adoption until their security is proven.

 3- More IPv6-based attacks

WatchGuard also predicts an increase in IPV6-based attacks and IPV6 attack tools. Because the IT industry is slow in adopting IPV6 technology, many of the new devices are already IPV6-aware and have the ability to create IPV6 networks on their own. When these devices create their own networks and have not been locked down with security controls – this leaves the door wide open for cybercriminals to exploit unprotected weaknesses.

4- More madware (mobile apps)

Expectation is high that madware, otherwise known as mobile adware will continue to rise. In a recent FTC staff report: Mobile Apps for Kids: Disclosures still not making the Grade, nearly 60% of the child apps surveyed was transmitting information from the child’s device back to the app developer, advertising network, analytics company, or other third party.

What is becoming apparent with some madware is that it pushes consumer tolerance to the limit by gaining permission to make phones calls or send text messages. Five of the most annoying habits of madware include sending alerts to the notification bar, adding icons to your device, to change browser settings, gather personal information and even change the ringtone. What makes madware such a nuisance development, is that in many cases consumers have no idea what these ad networks are doing, and they can be left with astronomical phone bills or become a victim of identity theft if these activities go unchecked. –Symantec

5- More ransomware  

According to the Internet Crime Complaint Center (IC3) the latest version of ransomware uses the name of IC3 to frighten victims into sending money to the perpetrators. This version of the Citadel malware platform also claims that the user’s computer activity is being recorded using audio, video, and other devices. This is a very clever social engineering trick – designed to instill fear of potential criminal prosecution if the victim fails to comply with the perpetrator’s ransom demands.

Next, the victim is lured to a drive-by-download website that installs ransomware on the user’s computer. Once installed, the computer freezes and a warning screen is displayed warning the user that they have violated U.S. federal law. Then the perpetrator goes even further (instilling more fear in the victim), by stating that IC3 has discovered that the victim’s IP address has accessed child pornography or other illegal content. To unlock the computer, the victim is instructed to pay an IC3 fine by purchasing a prepaid money card.

You can expect much more sophisticated versions of ransomware in 2013.

6- More use of legal surveillance tools

With the revelation that the U.K.- based Gamma Group offered ‘Finfisher/Finspy’ monitoring software to the previous Egyptian government and reports that the Indian government asked firms (including Apple, Nokia and RIM) for secret access to mobile devices – surveillance tools will be a hot security topic in 2013. –Securelist

7- More targeted spear-phishing attacks

Websense Security Labs is predicting that malicious email will make a comeback in 2013 with “timed and targeted spear-phishing email attacks, along with an increase in malicious email attachments, are providing new opportunities for cybercrime. Domain generation algorithms will also bypass current security to increase the effectiveness of targeted attacks.”

8- More social networking scams

Social networking sites such as Facebook and Twitter are optimal grazing grounds for cybercriminals to easily target large pools of victims. With the free flow of personal information cybercriminals easily digest all this social data and devise targeted attacks that prey on consumers using social engineering tactics and sensationalism.

One of the biggest crowd enticers on Facebook is for the cybercriminal to produce an unbelievable video, rogue app or viral link that can be shared with a large number of users. The idea is to perpetuate a continuous bombardment of shared content that can spam the wall or messaging system of the original victim, their friends and even friends of friends.

This content is generally socially engineered to convince the victim to download a fake video viewer (in order to view that fabulous video), take a scam survey via a rogue app in order to win an iPad 3 or share a link that is infested with several redirects until it arrives at a malicious website. Expect more of this in 2013.

9- More search history poisoning

In early November, Researchers at Georgia Tech Information Security Center (GTISC) released their 2013 computer security threat forecast. It was interesting to note that the researchers mentioned tampering with a user’s search history as a new attack vector.

“If you compromise a computer, the victim can always switch to a clean machine and your attack is over,” said Professor Wenke Lee. “If you compromise a user’s search history and hence his online profile, the victim gets the malicious search results no matter where he logs in from.”

The benefit to the attacker is that such manipulations, when stored as part of an online profile indexed by a cookie, can survive many defensive measures. Such attacks can significantly change input to a search engine’s filtering algorithm, changing which sites a person sees.

 10 -More sophisticated Cybercriminal Attack “Premium” Toolkits

Sophos recently reported in their Security Threat Report 2013 that malware authors have become highly sophisticated in authoring the Blackhole Exploit Kit. The exploit kit combines both technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study.

“In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive,” warns Lyne. –Infosecurity

The majority of Internet security risk factors for the back-to-school-gang can be controlled with the right online tools, the right attitude (a willingness to learn and apply the necessary strategies) and the desire to become proactive versus reactive.

1. Weak Passwords
2. Privacy 
3. Malware
4. Mobile App Risks
5. Unsecured Wi-Fi

The web is often the perfect playground for cybercriminals’ to snare victims. Social media houses the glitter with connections, apps, games and traps. Major search engines feed the curious, but can also circumvent legitimate searches and replace them with offensive content.

1. Weak Passwords

Using the same weak password across multiple sites gives a hacker an entrance to highjack all your online accounts; has the potential to steal bank login information and potentially wipe your bank account out.

A weak password such as 123456, password,  abc123, or using your first name or pet’s name as your password is the Achilles heel of online security.

Passwords are your first line of defense against cybercriminals. Create complex passwords for each site (do not share the same password at multiple sites), change them frequently and create accounts at sites that use good encryption.

The weakest link on social media sites is the use of weak (123456)  or common passwords (password). If you use passwords that can be traced directly back to you (Example: getcocoon) or use the name of your family pet (Example: cocoonpuppy) – these type of passwords can easily be figured out with a bit of social engineering and access to your Facebook page. Never use passwords that are associated with something that can be traced directly back to you.

How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:

If your password is 5 characters long and uses:

*Just numbers, the time to “crack” = 1.85 minutes (Example: 12345).

*The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).

*The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).

*The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).

Use a combination of uppercase, lowercase, numbers and symbols

*If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack”  jumps to 1.84 years (Example: Alph12).

*If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!).

 2. Privacy : Online Tracking

There are a number of companies that track your movements on the web and sell the information to the highest bidder in real time bidding…

“Already, the web sites you visit reshape themselves before you like a carnivorous school of fish, and this is only the beginning. Right now, a huge chunk of what you’ve ever looked at on the Internet is sitting in databases all across the world. The line separating all that it might say about you, good or bad, is as thin as the letters of your name. If and when that wall breaks down, the numbers may overwhelm the name.” –The Atlantic

Acxiom has a reputation of collecting data better than anyone else. They collect everything including websites, loyalty programs, retail point-of-sale data, self-reported sources, public records,  employment drug testing data, background checks, criminal histories, birth records, education data, vehicle identification numbers, driver’s licenses, marriage  licenses, and you can bet that they know what you feed your dog too.

Internet users should be informed that there are tools available, such as Cocoon, which give Internet users control of their private information and places a roadblock against online tracking.

3. Malware

Malware, otherwise known as malicious software is created by cybercriminals for the sole purpose of bringing some type of harm to your computer or mobile device. Whether it is used for spying on you, stealing your passwords or personal data, holding your computer or device for ransom, conducting financial theft, or targeting you for membership in a botnet - the final outcome is never intended to be in your favor.

Malware is a blanket term that can include viruses, Trojans, spyware, root kits, adware, worms, key loggers, web hijackers and other malicious scripts. It can be hostile, intrusive, insidious, annoying; or lay dormant for a time.

Malware is no longer a threat that is exclusive to desktop operating systems. The RSA 2012 CYBERCRIME TRENDS REPORT white paper stated that 2011 marked the year of new advanced threats on a global basis. In 2012, cybercriminals are finding new and innovative ways to monetize non-financial data, while hacktivism is on the rise. They predict that “InfoStealers” for the mobile platform will emerge with Trojans that are designed to “keylog touch-screen input and monitor data traffic through the mobile device.”

4. Mobile App Risks

From unregulated practices in mobile advertising to cell tower dumps, our mobile privacy is under constant attack. We’ve come a long way since Martin Cooper’s Dyna-Tac 2.5 lb brick (1973); but in 2012 mobile users are still shaking at the short end of the mobile privacy stick.

Cyber-crooks develop rogue apps to steal private data such as passwords, credit card information and piece together personal information in order to commit identity theft.

A recent study on Mobile Privacy Policies from the Future of Privacy Forum, stated that out of the free apps surveyed, 66 percent had privacy policies, while only 33 percent of the paid apps had privacy policies.

Many mobile apps need advertising in order to continue offering “free” apps. Some ads are invasive and take too much data from a user’s phone or they may install software in the background without user knowledge. Many mobile apps also routinely send data to marketing companies and use the collected data to compile dossiers on mobile phone users.

*Only download apps from well-known and trusted sources.

*Avoid downloading apps that have only been downloaded a few times, have few or no ratings, and no privacy policy.

*If a free app that you like has an upgrade and a no-advertising version is available – purchase it!

Mobile malvertising is another vector for attack. The ads look genuine, but when the user clicks on a malvertised ad they end up at a malicious site that downloads malware to their device.

Aggressive ad networks are much more prevalent than malicious applications. It is the most prevalent mobile privacy issue that exists,” Kevin Mahaffey, Lookout’s technology chief and co-founder, told Reuters in an interview.

5. Unsecured Wi-Fi

Airports, restaurants, coffee shops, businesses, dentists, libraries and even public parks offer public access to Wi-Fi for free. Surfing unsecured hotspots can open your data pipeline to some very unsavory characters.  Whether you use it for convenience or because there is no other Internet connection available — the bad guys still have all kinds of tools to gather and steal information from you.

Conclusion

Browsing the Internet with Cocoon will route all of your traffic through our encrypted servers, so prying eyes cannot see it. This is especially valuable on a public WiFi network where man in the middle attacks commonly occur.

The use of Cocoon while surfing Facebook, banking, or shopping on a public network will keep lurking predators from hijacking your private session.

Cocoon’s encrypted tunnel will ensure that viruses and malware never reach your computer. This highly decreases your chances of becoming part of a botnet, having your personal data stolen, or worse. Don’t give cyber criminals the advantage, stay safe and be vigilant.

From unregulated practices in mobile advertising to cell tower dumps, our mobile privacy is under constant attack. We’ve come a long way since Martin Cooper’s Dyna-Tac 2.5 lb brick (1973); but in 2012 consumers are still shaking at the short end of the mobile privacy stick.

What are this summer’s top 3 Cocoon mobile privacy concerns?

1-Privacy risk from mobile apps

Cyber-crooks develop rogue apps to steal private data such as passwords, credit card information and piece together personal information in order to commit identity theft. Apps can also include malware such as the recent Trojan!MMarketPay.A@Android that was found on China Mobile Market. Trojan!MMarketPay.A was able to automatically place orders on behalf of users and jack up their phone bills as part of the payload. The virus spread to 9 China markets (nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com and AZ4SD); infecting more than 100,000 devices.

A recent study on Mobile Privacy Policies from the Future of Privacy Forum, stated that out of the free apps surveyed, 66 percent had privacy policies, while only 33 percent of the paid apps had privacy policies.

2-Privacy risk from mobile ads

Many mobile apps need advertising in order to continue offering “free” apps. Some ads are invasive and take too much data from a user’s phone or they may install software in the background without user knowledge. Many mobile apps also routinely send data to marketing companies and use the collected data to compile dossiers on mobile phone users.

Aggressive ad networks are much more prevalent than malicious applications. It is the most prevalent mobile privacy issue that exists,” Kevin Mahaffey, Lookout’s technology chief and co-founder, told Reuters in an interview.

Mobile malvertising is another vector for attack. The ads look genuine, but when the user clicks on a malvertised ad they end up at a malicious site that downloads malware to their device.

3-Law Enforcement Surveillance

For years, cell phone carriers have refused to tell us how they package our data and have held insidious alliances with government and law enforcement agencies.

The number of Americans affected each year by the growing use of mobile phone data by law enforcement could reach into the tens of millions, as a single request could ensnare dozens or even hundreds of people. Law enforcement has been asking for so-called “cell tower dumps” in which carriers disclose all phone numbers that connected to a given tower during a certain period of time.  –Wired

 How can you make your stick longer?

-Only download apps from well-known and trusted sources.

-Avoid downloading apps that have only been downloaded a few times, have few or no ratings, and no privacy policy.

-If a free app that you like has an upgrade and a no-advertising version is available – purchase it!

-Join EFF and Internet users worldwide by signing the Declaration of Internet Freedom.

For mobile security and privacy you can check out our Cocoon app for iOS and visit us onTwitter and Facebook too!