Home > Security

Computerworld - Criminal hackers never sleep, it seems. Just when you think you've battened down the hatches and fully protected yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or a stalker who dogs your every step online. Or maybe it's an emerging technology like in-car Wi-Fi that suddenly creates a whole new attack vector.

Whether you're an IT manager protecting employees and corporate systems or you're simply trying to keep your own personal data safe, these threats -- some rapidly growing, others still emerging -- pose a potential risk. Fortunately, there are some security procedures and tools available to help you win the fight against the bad guys.

1. Text-message malware

While smartphone viruses are still fairly rare, text-messaging attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group coalition of security researchers. PCs are now fairly well protected, he says, so some black-hat hackers have moved on to mobile devices. Their incentive is mostly financial; text messaging provides a way for them to break in and make money.

Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are becoming more common as people rely more on mobile devices. It's not just consumers who are at risk from these attacks, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business's network and data, and perhaps cause a compliance violation.

"This is a similar type of attack as [is used on] a computer -- an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it," Nguyen explains. "Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user."

In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pocketbook of the hacker selling the ring tones.

Another ruse, says Nguyen, is a text-message link to download an app that supposedly allows free Internet access but is actually a Trojan that sends hundreds of thousands of SMS messages (usually at "premium SMS" rates of $2 each) from the phone.

Wireless carriers say they do try to stave off the attacks. For instance, Verizon spokeswoman Brenda Raney says the company scans for known malware attacks and isolates them on the cellular network, and even engages with federal crime units to block attacks.

Still, as Joffe notes jokingly, there is "no defense against being stupid" or against employee errors. For example, he recounts that he and other security professionals training corporate employees one-on-one about cell phone dangers would send them messages with a fake worm. And right after the training session, he says, many employees would still click the link.

To keep such malware off users' phones, Joffe recommends that businesses institute strict corporate policies limiting whom employees can text using company networks and phones, and what kind of work can be done via text. Another option is a policy that disallows text messaging entirely, at least until the industry figures out how to deal with the threats.

For consumers, common sense is the best defense. Avoid clicking on text-message links or attachments from anyone you don't know, and use extreme caution even with messages from known contacts, who might unwittingly be part of a botnet.