This week’s security news takes a look at the danger of malicious apps, outdated software, mobiles and unprotected POS.
Online daters beware. Bitdefender Labs has reported that over nine million registered users of Tinder could be at risk from a series of bots which have invaded the dating app and are now spreading dangerous downloads.
The malicious schemes attempt to lure users with tempting profiles and pictures, some using pictures stolen from an Arizona-based photography studio.
“After users swipe the right button on Tinder to indicate that they like a profile, the bots engage users in automated conversations until they convince them to click on a dubious link,” explained Catalin Cosoi, chief security strategist at Bitdefender.
“The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain.”
Bitdefender have warned users to be aware of the risk, and advised that a typical bot message reads: “Hey, how are you doing? I’m still recovering from last night J Relaxing with a game on my phone, castle clash. Have you heard about it? http://tinderverified.com/castleclash[removed]. Play with me and you may get my phone number.”
The scam also evolves depending on the location of the targeted user: British users are lured to fraudulent surveys and dubious competitions for ASDA and Tesco vouchers, while Tinder users in the US are brought to the ‘Castle Clash’ game download.
Kaspersky Lab has reported that a third of all phishing attacks are aimed directly at stealing money.
The firm’s research revealed that in 2013, 31.45 per cent of phishing attacks exploited the names of leading banks, online stores and online payment systems.
The most attractive targets were banks, which were used in 70.6 per cent of all financial phishing attacks, with Amazon.com the most popular cover for phishing attacks impersonating online stores – its name was used in 61 per cent of online trade-related phishing attacks.
In addition, Kaspersky found that phishers are increasingly using social networking sites – the number of attacks using fake Facebook pages and other social networking sites grew by 6.8 percentage points and accounted for 35.4 per cent of total attacks.
To further educate technology users on the danger of cyber attacks, Kaspersky has also launched an interactive cyberthreat map that visualises cyber security incidents occurring worldwide in real time.
Users can rotate the globe and zoom in to any part of the world to get a closer look at the local threat landscape. Different types of threats detected in real time are marked with different colours.
Elsewhere, a F-Secure survey has suggested that many businesses are risking company assets by using outdated software.
The security firm reported that ninety-four per cent of small and medium size businesses (SMBs) it spoke to think it is important to keep software updated, but only 59 per cent of businesses stated that their software is always up to date – with 63 per cent blaming a lack of available resources for the outdated software.
F-Secure added its belief that up to 80 percent of its ‘top ten’ malware could be prevented with up-to-date software.
Pekka Usva, vice president of corporate security at F-Secure said: “A common misconception is that [security risks are caused by an out-of-date] OS – [they’re] not.
“Operating systems are fairly well maintained and updated.
“The real problems are third party applications for both business and personal use – Skype, Adobe Reader, browsers with various plugins and Java, to name a few. Do you know what’s been installed on your device?”
Other risks are present for smartphone users: security specialist Avira announced today that it has added three features to its new premium Avira Antivirus Security Pro app to protect the 95 per cent of adults who currently use a mobile in the UK.
The upgrades include a ‘Browse Safely’ function which blocks infectious websites using real time URL monitoring technology, hourly updates and ‘Quick Support Access’, which provides fast contacting of Avira technicians.
“It is common knowledge that many malware attacks now come through the browser, not just from malicious apps, and that is just unacceptable to those Android users who simply want to stay safe while surfing, playing or working on their mobile Android device,” explained Leon Crutchley, mobile products manager for Avira.
“We have worked very hard to provide our users that want protection everywhere, a premium app that keeps them safe when browsing online and also when they are using any app on their device.”
Mobile Point of Sale (MPOS) devices are also at risk, and can be easily hacked, leaving banks, retailers and millions of customers exposed to serious fraud around the world, claims security firm MWR InfoSecurity.
MWR Labs researchers have demonstrated that it is possible to compromise MPOS terminals with multiple attacking techniques using micro USBs, Bluetooth and a malicious programmable smart card.
Jon, head of research at MWR InfoSecurity, said: “What we have found reveals that criminals can compromise the MPOS payment terminal and get full control over it.
“This would allow an attacker to gather PIN and credit card data, and event change the software on the device so that it accepts illegitimate payments.
“This shows that card holders paying at MPOS terminals worldwide are potentially at risk. Banks and retailers should also be wary when implementing this technology as it could leave them open to serious fraud.”
The researchers showed how an attacker could gain control over the MPOS terminal. This allowed them to display ‘try again’ messages, switch the device into insecure mode, capture a PIN code when entered and enable it to accept stolen credit cards. They were even able to use the device to play a simplified version of the popular game Flappy Bird.
Nils, a security researcher at MWR, added: “MPOS is a promising technology with a growing market uptake, well suited for use in modern payment systems, but current implementations are not well designed from a security perspective.
“It is critical to get security right early as there is a huge potential for fraud around the world.
"Lessons that have been learned from desktop computers and servers are yet to be applied to embedded systems."
Image via Twitter user @PRHender