AVG Report Highlights Clever Criminals, Facebook Follies, & Mobile Mistakes

Despite firewalls, virus scanners, and 15-character passwords, we still face a risk that someone will try to phish or scam information that unlocks financial doors. It’s even happening in online communities where we feel safe. And now it’s not just our computers. Mobile devices have become the new gateway for savvy criminals who want your money. AVG addressed these realities and other online security concerns in its third quarter Community Powered Report.

The Price for Digital Currency

Online gaming communities with their own digital currency like Zynga zCoins or Facebook Credits are firmly in the crosshairs of enterprising thieves. These digital economies are worth real money (Bitcoin’s estimated market capital hit $63,336,546 in August 2011), and, according to AVG, they’re just too tempting for the pickpockets to ignore.

So where’s the vulnerability? These systems can still be gamed just like their more traditional counterparts, and it can be incredibly difficult to trace. In the case of Bitcoin, for example, there are no intermediaries. Designed to allow money transactions without banks or other commercial entities, Bitcoin provides users with a digital wallet that lets people buy and sell online via their Bitcoin “wallet.”

A decentralized system, a Bitcoin wallet can reside on a personal computer or on a third-party server and transactions happen via a peer-to-peer network. So what happens if a thief dips his hand in your Bitcoin wallet?  As AVG describes it, think of cash in your physical wallet. If someone steals that cash what are the odds that you’ll get it back? Bitcoin faces a similar problem. After the transaction receives approval reversal isn’t an option.

Even if you’re not actively using Bitcoin, malware still exists that can use your computer to do the dirty work running in the background. Like other malware it frequently gets in via other application installations. Actual Bitcoin users will feel the pinch if a Trojan gets installed that allows a remote user to control a Bitcoin client. Since accounts are anonymous the thieves can complete the transactions and all you’ll see is an address of an approved transaction that you can’t reverse.

First and foremost, if you use a digital wallet, keep it secure. If you’re using digital currency, use it with caution and be aware that there are people looking to pick your wallet without you ever leaving the house. And, since it’s coming from AVG, keep your security applications up to date.

Facebook on the Front Lines

It’s not a surprise given Facebook’s popularity and size that it’s a target for the unsavory. AVG identified two particular methods this quarter that have gained traction: Clipjacking and Survey Scam. In Clipjacking, the goal is to make you hit the play button on the funniest (why do the criminals always use humor to entice?) video clip. Clicking that button can trigger the system to show that you “like” the clip plus share it with your Facebook friends. So how do people get tricked?

The attack involved placing a transparent image file (GIF) over a video clip, this GIF file and the hidden code can go unnoticed by the majority of Facebook users. The user is tricked into believing that they are pressing the “play” button but actually clicking on the transparent GIF which executes the code.

But that’s not enough for the scammers. You’ll also be prompted “to agree to an automatic $10 monthly mobile phone charges.” Avoiding the charges alone doesn’t prevent problems. The videos are rarely about kittens and puppies, so you end up sharing something that may ultimately prove embarrassing, depending on whom you have in your network (think your boss, your mom…you get the idea). Here are a few of the Clipjacking videos AVG has noticed so far this year:

  •  “Who is looking at your profile”
  •  “You won’t believe what this teacher did to his student”
  • “Lily Allen shows her breasts on British television”

For the people who didn’t avoid the phone scam, now the criminals have their phone number and authorization to charge $10. Assuming even a 1 percent success rate (6,000 Facebook users) per day, AVG estimates that the take could easily reach over $20 million a year and all because you couldn’t resist watching that video about Lily Allen. Think twice before you click and make sure to check your phone bill for suspicious charges.

Sucked Into the Blackhole

An attack toolkit, Blackhole remains the most prevalent toolkit based on reported detections by AVG’s community (34 million in Q1 2011). Like the majority of malware, it looks for holes in legitimate software, security bugs that leave some of the popular software vulnerable. Based on the rate and pattern of detections, AVG notes “that there are more traps on the web, but fewer victims falling into them.”

Showing an entrepreneurial bent, the most talented of these programming criminals found that they could sell their code to the less skilled. Once that step met with success, they moved on to leasing their code, offering annual licenses for $1500 per year and other ala carte options to appeal to would-be scammers.

Blackhole has gained traction fast since its appearance in 2010 because it’s difficult to detect, includes a statistical console, and offers users an online virus scanning service. So what does the end user see? When a website falls to the attack, visitors get pointed to another page that contains the Blackhole code, often a 404 ‘page not found.’ After the code is installed, the page closes and the compromised computer starts communicating with a server that downloads more files, including key loggers, Trojans, bots, and fake antivirus applications.

The solution is simple: update your machine! Because of Blackhole’s prevalence, AVG notes that “most of the vulnerabilities used have been patched for a year or more.” AVG also recommends disabling the JavaScript in Adobe Reader. Since it’s commonly exploited, but rarely needed by users, there are few reasons to keep it active. And, as always, pay attention and don’t click on anything that can’t be easily verified.

Going Mobile Comes with Risks

Remember that last app you downloaded to your Android? Did you get it from the official Google store (although it has problems, too) or did it come from somewhere else? As Android took over market share to become the most popular mobile OS, it also became a target for cyber crime, according to AVG.

In this instance, the malicious code comes in a tempting package: they’re made to look like legitimate applications. Used to send personal data from your phone to remote servers, AVG analyzed one package that originated in China that actually recorded conversations, SMSs, and GPS data to your phone’s memory card then sent those digital files to a server.

Keeping your device secure is simple, but not necessarily easy. You can’t assume that an app in the official Android Marketplace is secure. You’ve got the check out the developer, read the reviews, and look carefully at the permissions that the app requests. Also be on the lookout for your phone behaving oddly and watch for unexplained charges on your phone bill since some malware can sign you up for expensive services without your knowledge.

The Bad Guys Want Your Money

The price we pay for the benefits of living online includes being aware of the risks and protecting our weak points. Reports from AVG and other security companies make it clear that if we don’t, someone will be waiting to take advantage. It may feel like a hassle at times to run the updates and to do the research, but what does it cost you in lost time and money if something gets through?

What tools and resources are you using to protect yourself online?

About Britt Raybould

Britt Raybould has a passion for telling stories and she specializes in helping companies figure out how to tell their own stories. Through her firm, Write Bold, she shows companies how storytelling can define them, both to their customers and within their industry. When she remembers to, Britt blogs on her personal sites at bold-words.com and brittraybould.com. You can find Britt on Twitter @britter.

Twitter: britter

Comments are closed.