Cybercriminals are becoming more adept at exploiting the latest trends or issues of high public interest to spread malware and steal personal data from unsuspecting users.
Whether it’s an app related to your favorite TV show, government health updates about COVID or tracking lost package deliveries, the result is often the same: infected devices leading to fraud or outright theft.
Basic cybersecurity hygiene is key to protecting your devices from the most common types of malware, but we also need security built into the technology to prevent these sophisticated cyber attacks.
The Secret Service is certainly notorious for protecting the president. But its other primary mission is to protect the country’s financial infrastructure and payment systems to maintain the integrity of the economy from a wide range of financial and electronic crimes, including counterfeit US currency, bank and financial institution fraud, illegal financing operations, identity theft, and access fraud on Device and cybercrime.
With the proliferation of mobile devices in today’s world, this means that, as the Department of Homeland Security (DHS) recommends, “users should avoid – and companies should ban on their devices – sideloading apps and using unauthorized app stores.”
Paul Abate, deputy director of the FBI, said the pandemic has been a boon to cybercriminals, as he “took the opportunity to take advantage of our reliance on technology to go on a cybercrime spree.”
The FBI’s Internet Crime Complaint Center registered 791,790 complaints in 2020, nearly double the previous year’s total and the largest annual increase ever recorded. One particularly malicious example was text messages that encouraged users to download an app to schedule vaccinations, but then sent malware to every device in that user’s contacts that could steal personal data or banking information.
Earlier this year, the UK’s National Cyber Security Center (NCSC) alerted the public to a new form of malware that prompted a user to click on a link to track the delivery of a supposedly missed package, which is common during the pandemic. The link downloaded a malware app, called FluBot, which could then hack a user’s bank and other financial account details. Cybersecurity researchers discovered ‘the magnitude of malicious’ [FluBot] SMS messages can reach tens of thousands per hour.” Hackers are even capitalizing on the popularity of the popular TV show “Squid Game” with a new wave of cybercrime targeting mobile devices using malware hidden in display-related apps.
Mobile devices are now the primary access point for the Internet, with 61% of all website traffic in the US in 2020 coming on mobile devices, reinforcing a trend that only became the majority in 2019. This is reflected in the increased targeting of mobile devices with attacks. Online, with complaints of phishing attacks and SMS — emails or SMS messages containing malicious links — to the FBI more than doubled in 2020, rising from 114,702 in 2019 to 241,342 last year.
As we enter the holiday shopping season, with one survey indicating that more than 55% of shoppers will make at least one purchase using a mobile device, it’s imperative that device owners take precautions to protect themselves from attacks.
The NCSC recommends users to follow basic security measures, such as frequently backing up their devices, using virus detection software and installing “only new apps on your device from the manufacturer’s recommended app store.” This guidance mirrors that of the Department of Homeland Security, which also included recommendations that operating systems, applications, and other software should be updated regularly and that users and organizations adopt multi-factor authentication.
Simple eHealth recommendations form a multi-layered defense against attacks, which greatly reduces the risk of unauthorized access to mobile devices. However, despite the importance and effectiveness of these user actions, cybercriminals use sophisticated techniques that exploit human psychology and behaviors to deceive users and hack devices.
These types of attacks, called social engineering attacks, use human interactions and social skills to trick users into allowing attackers to gain access to their devices or systems, sometimes causing users to disable optional security protections. Attacks such as FluBot, fake vaccination websites, and malicious “Squid Game” apps are examples of social engineering.
According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, mobile device owners may be more vulnerable to social engineering attacks through text messages because the mobile device’s integration of email, voice, text messaging, and web browser functionality increases the likelihood of users falling victim to designed malicious activity attacks.”
The White House Cyber Security Summit earlier this year outlined ways beyond cyber-hygiene to guard against unauthorized access: “We need to move to where technology is built securely by default. We need to Knowing we’re buying safe technology.”
Safe by design mobile devices will build electronic hygiene protections into the device, removing human psychology from the security equation. Just as seat belts and airbags began as options for car buyers, they are now mandatory safety equipment in all cars.
Basic cyber-cleanliness protection such as multi-factor authentication or blocking of downloading apps from third-party official app stores can be built into the systems by design. Mobile devices with these kinds of protections built in from the start would almost never be vulnerable to social engineering attacks even if the device owner, like most people, was concerned about a successful TV show or worried about the pandemic.
The public should follow the basic e-health recommendations of our cybersecurity agencies. But we also need to cut the cycle of complex social engineering attacks and build high-security safeguards into the design of our technology.