Booming mobile industry spawning global criminal marketplace
In an alarming 'post-PC' era alert, working group says criminal infrastructure created much faster than it was for PC fraud
By John P. Mello, Jr.
May 16, 2013 — CSO — Mobile devices have become enticing targets for criminals around the world, so much so that an underground industry has begun to grow to support malicious activity aimed at those devices, according to a report released on Wednesday by the Anti-Phishing Working Group (APWG).
"In a 'post-PC era,' mobile devices increasingly present an attractive, practical and economical alternative to traditional desktops," said the report, "Mobile Threats and the Underground Marketplace."
"In the coming years," it continued, "global mobile payments are predicted to exceed $1.3 trillion, moreover, presenting a mother load of opportunity for cyber crime gangs who appreciate the vulnerabilities of these peripatetic communications and computing platforms."
The purpose of the report is to provide a comprehensive look at the criminal infrastructure growing around mobile fraud, noted APWG Chairman Dave Jevans, who is also chairman and CTO of Marble Security.
"When you look how that underground economy works, you can see a big infrastructure being built for mobile electronic crime," he said in an interview.
That infrastructure is being created much faster than it was for PC fraud. "It's growing at least five times faster," Jevans said. "What took 10 years for PCs is going to take 18 months to two years for mobile."
Some of the mobile crime infrastructure is being built on the existing components of the PC crime network. For example, "bulletproof" hosts used to host phishing sites and malware distribution are now used for hosting Android malware, mobile toolkits and SMS phishing.
"A large part of the infrastructure providers for electronic crime over the last 10 years are merely adding mobile into their mix so everything is moving much more quickly," Jevans said.
[Also see: Mobile security threats are heating up]
This has been a natural progression of the underground arms bazaar, said Tom Kellermann, vice president of cyber security for Trend Micro. He said the trend in mobile crimeware began six or seven years ago when the Asian and European banking communities decided to push mobile banking initiatives.
"You began to see traditional crime kits like Zeus, SpyEye and Citadel add mobile variants," he said in an interview.
Mobile devices can be more vulnerable to man-in-the-browser attacks because not only do they have web browsers, but their apps act as mini web browsers by interacting directly with the Web.
"The browsers in the mobile devices become the Achilles heel because they're providing the session for the authentication to occur, which is why there are so many successful man-in-the-browser attacks that are focused on mobile platforms," Kellerman said.
Another aspect of many mobile devices that makes them easy to exploit by cybercriminals is their small screens. "That means you don't see the hints and the clues you'd get with a desktop or laptop that something is wrong with what you're looking at," said Tim Chiu, director of product marketing for security for Blue Coat Systems.
For example, in a phishing attack on a desktop, there are clues that tell you it's an attack -- you can see the full URL of where you're at or hover over a link to see where it goes. "On a mobile device, you can't hover so you never know the actual URL you're going to when you tap it," Chiu said.
"And when you go to a URL," he continued, "many mobile devices have a feature called auto hide in order to give you the most real estate on your little screen as possible. That hides the URL so you don't know where you are."
Despite the attention mobile devices are grabbing from cybercriminals, it may take a watershed event to bring the point home to the public. "We'll have a big problem when the first widespread Apple malware occurs that is financially targeted," said Ken Baylor, a research vice president for NSS Labs.
"While Apple has the ability to yank bad applications once they're installed as we saw in the recent $45 million ATM fraud scam, the things you can do in eight to 12 hours are pretty amazing," he told CSO.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.