New cyberattacks are constantly brewing, and one of the most troubling things is that in some cases, new techniques don’t even require an evil, tech-savvy hacker mentality to mastermind. Modern malware comes with easy-to-use control-panel interfaces and operator manuals — call it “Cybercrime for Dummies” — and the results can be quite chilling for the security good guys, who are constantly looking far ahead for new threats. Here are four big security headaches that are just becoming well-known, all of which worry experts who are still trying to find ways to defeat them. Click “next” in the top right corner to see all the looming threats.
Standard phishing scams are hit-or-miss — criminals could end up with the password to an empty bank account, or be defeated by two-factor authentication mechanisms. Banking Trojans, which automate the break-in process, are on the rise in popularity because they target a sector where revenue is all but guaranteed. They surreptitiously install themselves in Web browsers and wait until users log onto banking sites, at which point they steal passwords, redirect users to phony sites and more. “Top-tier banker Trojans such as Carberp, Zeus or SpyEye come with additional features that allow them to siphon data straight from the Web browser’s form,” said Alexandru Catalin Cosoi, chief security researcher at Bucharest, Romania’s Bitdefender. “More than that, due to the man-in-the-browser capabilities, they can malform both the bank’s and the browser’s response to conceal unauthorized transactions and the true destinations of the transfers.” The next step in banking Trojan evolution are so-called Brazilian bankers, Cosoi said, that imitate desktop banking applications. “Banker Trojans represent a large chunk of Brazil’s malware output, as it ranks third in malware production right after China and the Russian Federation,” Cosoi said.
BIOS malware targets the physical computer’s embedded startup software, or Basic Input-Output System, rather than the operating system that the BIOS loads. Research conducted by Bitdefender reveals that commercial BIOS software is highly vulnerable to malware. BIOS infections are among the most basic, and the stealthiest, form of rootkits — malware that burrows deep into a computer’s software to make itself hard to find and even harder to delete. Other rootkits modify the operating-system kernel or install themselves on hidden hard-drive partitions to evade anti-virus software. “It causes many folks to have to abandon an infected hard drive if the data is really mission critical: how can you be sure you’re clean?” said Steve Santorelli, a former Scotland Yard investigator and Microsoft researcher who’s now director of global outreach at Florida-based nonprofit security firm Team Cymru. “The underground economy miscreants are working in this area, but it’s not really primarily for mainstream acquisitive crime,” Santorelli added. “They are doing very well with application-layer attacks using browsers and don’t need to develop major new rootkit tools to drive the bulk of their money-stealing activities.” “You’re perhaps more at risk of rootkit technology if you have enterprise data that people want to steal for less direct financial reward,” he said. The BIOS is a fertile place for a rootkit. Not only is it seldom scanned by anti-virus solutions, but BIOS-based malware can be up and running long before the operating system can enable security modules. Pair that with the fact that the BIOS runs independently of the operating system and hence could affect Mac, Windows and Linux alike, and you have the makings of a troublesome attack. Lastly, BIOS chips are equipped with at least 256 KB of free space that can be used for future updates – including malicious code. “This is why some enterprise system manufacturers have already started to digitally sign their BIOS updates and prevent any ‘flashing’ unless the digital certificate is valid,” Cosoi said.
Browser exploit packs are like bedbugs gone cybercriminal — relentless and pervasive. They’re cocktails of malware that hide in infected Web pages, testing each visiting computer for vulnerabilities until they find a hole. An unsuspecting website visitor can pick up something nasty just by clicking on the wrong page. The first step in a browser exploit is redirection, which could secretly send users to other Web pages or even to the Web server that hosts the exploit pack. “Exploit packs are criminally appealing because victim exploitation is quick and seamless if a vulnerability exists,” stated a 2011 report on browser exploit packs by Team Cymru. “The victim may not notice anything different in their computer’s behavior post drive-by.”
The watchful eyes of some security experts are focused another kind of attack — hacks into military- drone and passenger-aircraft navigation and control systems. The new breed of “e-enabled” airliners, such as the latest Boeing and Airbus jets, increases the efficiency of air-traffic control systems and flight operations and also offers more passenger-service amenities. But wiring aircraft with Ethernet and Wi-Fi also adds to potential vulnerabilities and security risks, said Ondrej Krehel, information security officer at Scottsdale, Ariz.-based Identity Theft 911. It might be tough to make or steal money from hacking into an aircraft, but motives can be other than financial — and can be even more devastating. “The threat is serious, and since we are at the beginning of this era, we can hope that [aircraft designers] learned from past hacking attacks and vulnerabilities, and will design [them] with proper security in mind,” said Krehel. Such forethought in design is paramount in avoiding security lapses, added Santorelli. “Having aircraft systems totally isolated from anything accessible online or by passengers is at least one step in the right direction,” said Santorelli. “And it’s worth noting that hacking a hydraulic wing aileron is much harder if it doesn’t have an IP address.”
Despite a skyrocketing increase in the number of attacks upon Google’s Android mobile platform, most mobile malware is still pretty unambitious, consisting of premium-rate text-message scams or attempts to steal personal information. However, the first mobile botnets — where hacked phones work together under the command of a cybercriminal — have already been spotted, as have Android Trojans that constantly change their shape to avoid detection. Some experts fear we could soon see mobile drive-by downloads. Smartphones and tablets in some ways make the perfect malware or espionage vectors. They’re always on, always online and often brought into workplaces, where they hop onto office networks before taking adequate security precautions. They’re so sophisticated that some researchers have created apps that hack regular computer networks. “Mobile devices attract even more hackers” because consumers don’t pay as much mind to them, said Krehel. “There is less awareness about security concerns.”