New Wave of Hacker Attacks Coming

All my buddy Mario wanted was a can of beans to have for lunch one day last month. What he got, though, was a big pain in the bank account, when it turned out that his ATM card may have been one of the thousands of credit and debit cards potentially comprised by a devilishly clever band of hackers in Northern California. Mario, who lives in San Carlos, a suburb a bit south of San Francisco, had swiped his card at the self-serve check out counter in his local Lucky’s market.

It appears that the information on his card, along with that of thousands of other shoppers, may have been collected by a device called a skimmer that was surreptitiously installed on card readers at the store. The skimmer reads information on the card and broadcasts it back to the hackers. As soon as they discovered the hack, Lucky’s management advised customers who used the checkout kiosks recently to close bank accounts linked to cards they swiped.

The lesson of the Lucky’s attack is clear to anyone who follows computer security. Hackers are moving away from the traditional attacks on PCs accessing the Internet, to a wider variety of devices and applications. Researchers at McAfee this week issued the company’s annual report on cyber threats likely to hit in the coming year. And while it’s obvious that McAfee, which makes its living selling security software, has lots of skin in this game, it’s worth taking the company’s report seriously.

Highlights include:

Attacks on mobile banking apps: One of the really insidious things about today’s hackers is their ability to adapt very quickly to measure taken by the security community. According to the report, security researcher Ryan Sherstobitoff in July discussed how the transactions performed by criminals using Zeus and SpyEye could be tracked since they looked nothing like those of legitimate users. Last month, though, he showed how criminals had adapted and now can programmatically steal from victims while they are still logged on.

Hackers, predicts McAfee, will adapt what they’ve learned about attacking online banking conducted via PCs to the mobile world. “As we use our mobile devices ever more for banking, we will see attackers bypass PCs and go straight after mobile-banking apps. We expect to see attacks that leverage this type of programmatic technique in greater frequency as more and more users handle their finances on mobile devices,” the report states.

At the moment, there are few apps designed to protect smartphones, but that’s likely to change in the coming year. It’s also worth noting that so far, at least, there have been few, if any, documented attacks on mobile banking users.

Hacktivist attacks: On Christmas Eve, the hackers of Anonymous broke into databases of Stratfor, a security think tank and stole thousands of credit card numbers, passwords and email addresses, and then demanded that the company donate $1 million to charity as a form of ransom. Whether you agree with the politics of Anonymous or not, your personal information could become collateral damage in the war between authorities and the cyber radicals.

According to the report, “The ‘true’ Anonymous (that is, its historical wing) will reinvent themselves and their scene or die out. If the Anonymous circles of influence are unable to become organized — with clear calls for action and responsibility claims — all those labeling themselves Anonymous will eventually run the risk of becoming marginalized. Either way, we will see a large increase in such attacks. Distributed denial of service (DDoS) and personal data disclosures justified by a political conscience will continue to grow.”

Virtual currency: Virtual currency, sometimes called cybercurrency, has become a popular way for people to exchange money online. These online “wallets” are not encrypted and the transactions are public, making them an attractive target for cybercriminals. There have already been attacks directed at users of Bitcoin, one of the largest virtual currencies, said Dave Marcus, McAfee’s director of advanced research and threat intelligence. “Our concern isn’t confined to Bitcoin. Virtual currencies seem almost designed to attract hackers,” he told me.

McAfee Labs expects to see this threat evolve into spam, data theft, tools, support networks and other associated services dedicated to solely exploiting virtual currencies, in order to steal money from unsuspecting victims or to spread malware.

Rogue certificates: Digital certificates tell your browser and sometimes your computer’s operating system that a certain Web site or downloaded file is safe. But now hackers are finding ways to counterfeit them, and use the access they enable to spread malware.

Some of these threats are hard to avoid, while others can be easily defanged by keeping your security software up to date, and keeping an eye on your online accounts for fraudulent charges.  In our discussion, Marcus was careful to note that “We’re not predicting doomsday. We’re not trying to scare people away from technology.” So don’t panic. But as they used to say on Hill Street Blues, “Be careful out there.”