Suspicious Mobile App Finds Your Gmail, Facebook, and Twitter Accounts

Today many people use multiple web services, such as social networking and messaging services. Some users explicitly show their identity in these services, but others visit those services separately–as unidentifiable, different users. To protect their privacy, the latter group might not want their accounts and activities on multiple services to be associated with each other.

McAfee Labs has recently found a suspicious Android app on Google Play that secretly collects a device user’s Google account ID (gmail address in most cases), Facebook account ID (email address used for login), and Twitter account name. Users are exposed to the risk that these account IDs might be stored together and later abused, though we have not yet confirmed such misuse. The total downloads of this app amount to between 1,000 and 5,000 as of this writing.

 

accleaker-1a
Figure 1: This Android app secretly collects account IDs for Google, Facebook, and Twitter.

 

This app is implemented as a “sexy” movie viewer that provides a fixed set of URLs to movies on YouTube. However, this app secretly sends the device user’s Google account ID, Facebook account ID, Twitter account name, and locale information to its remote server just after it is launched. This information is not necessary for the app’s functionality, so we suspect that this app aims to collect these account IDs for possibly malicious purposes.

 

accleaker-2
Figure 2: Account IDs secretly sent to the app’s remote server via HTTP.

 

As we described in an earlier blog about suspicious Android apps secretly collecting Google account IDs, this type of Android app requests GET_ACCOUNTS permission at installation. Granting this permission request allows the app to retrieve the device user’s account information (excluding passwords) of various services registered in the device, using the AccountManager.getAccountsByType() API. Because no passwords are stolen, this action cannot directly allow any illegal access to the accounts. However, because in some services the account IDs are email addresses or phone numbers, there are risks that the account IDs themselves will be abused, for example, in spamming or phishing. In addition, giving account IDs for multiple services could give the attackers hints for collecting more detailed personal and preference information of owners of Google accounts by combining data obtained from their Facebook and Twitter services.

 

accleaker-3
Figure 3: A GET_ACCOUNTS permission request and examples of various service accounts.

 

Android device users should be careful and check whether an app developer is really trustworthy whenever an app requests GET_ACCOUNTS permission at installation. We also recommend that users should not unnecessarily enable social network privacy settings such as “allow search by email address.”

McAfee Mobile Security detects this suspicious app as Android/AccLeaker.A.

The post Suspicious Mobile App Finds Your Gmail, Facebook, and Twitter Accounts appeared first on McAfee Blogs.

Spring Clean Your Online Reputation

Spring is fast approaching, which means that spring break and college graduation are not too far away. Things could get ugly if your friends take photos of you acting foolish and then post them online for everyone to see.

Whether you’re searching for your next career move or are on the verge of graduation and feverishly sending out your resume, like it or not, potential employers are going online and Googling you. (Yes, Googling is considered a verb now.) Every time they find something online that is appropriate, they print it out and attach it to your resume. While I can’t confirm whether or not people are pulling your past and laughing at your expense, let’s just say I’d put money on it.

When was the last time you cleaned up your online (especially on social media) profile so that prospective employers can’t discover “bad” things about you? McAfee conducted a study, and the results show that 13.7% of people ages 18-24 know someone who was given the pink slip, courtesy of online postings.

Job seekers and upcoming college graduates take note: Difficulty getting or keeping a job due to negative social media content is a reality. I assure you anything on your social media profile that makes you look less than desirable as an employee, even an innocuous comment such as, “I always have trouble being on time,” can kill your chances at getting that dream job.

Tips on how you (the job seeker) can make your online profile look good:

DON’T:

  • Don’t friend someone you don’t know, just so you can crank up that friend-total tally. (Wow, 8,000 friends! Really?)
  • Don’t let anyone photograph or video you holding alcohol, smoking, being promiscuous or aggressive, shirtless, using vulgar gestures, or even doing something perfectly legal but stupid looking like the seflie fishy face.
  • Don’t use offensive language online, even if your privacy settings are at the highest. If you really need to get your point across, use “fudge,” “freakin,” “effing,” etc.
  • Don’t log on when your judgment may be compromised by raging hormones or alcohol/drugs.
  • Don’t negatively comment online about any person in authority (your boss, former boss, parents, a political candidate). Exception: The object of your scathing remark is a puppy beater.

 DO:

  • Make sure your social network privacy settings are on high, but remember that this doesn’t give you the green light to be inappropriate.
  • Look at the past year of what you’ve posted on social media profiles. Delete every photo, video and comment that is even remotely off color.
  • Google your name, address, phone number, email address and pseudonyms to see what’s out there about you. If it’s bad and it’s deleteable, then delete.
  • If it’s not deleteable, but under the control of someone else, see what your options are to have them remove it. Email, call, beg and plead if you must.
  • Once you’ve removed what you can then start the process of pushing out good stuff. This means propagating social and search with digital content that would make your mother actually proud she spawned you. The more good stuff that shows on the first few pages of search, the more the bad stuff will be pushed down into the abyss.

 

If you are saying “I’m not concerned, my life is an open book, if a potential employer doesn’t want to hire me because of who I am, then I don’t want that job anyway.” Fine. But when it comes time to pay the bills, you’ve been forewarned.

You may be a college grad with a 170 IQ or a businessman with 10 years of experience, but to a prospective employer, your fishy face selfie makes you look like a tool. Be careful what you do online!

 

RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post Spring Clean Your Online Reputation appeared first on McAfee Blogs.

Mobile Malware in 2014

As the world becomes increasingly mobile, criminals are prioritizing their scams to target smartphone and tablets users more than ever before. Our recent McAfee Labs Threats Report: Fourth Quarter 2013  identified 3.73 million total pieces of mobile malware in 2013, and an astounding 197% increase of total samples from the end of the previous year. While mobile malware is not new, there are some dangerous variations now targeting users on multiple operating systems. Mobile malware comes in all shapes and sizes, but some of the newer iterations are coming in the form of malicious mobile advertisements and sneaky, data collecting apps.

Below, we discuss some of the recent mobile malware trends targeting both Android and iOS device users.

Mobile malware in advertisements

Malware can find its way onto your mobile device through a variety of methods, but a new study revealed that advertisements were now the main conduit for malicious content. Mobile ads accompany a significant amount of content, and whether you find them annoying or amusing, cybercriminals have turned their attention toward using them to spread malware to unsuspecting users. What makes these “malvertisements” so dangerous is the fact that they are often delivered through legitimate ad networks and may not appear outright spammy, but can contain Trojans or lead to malicious websites when clicked on. An innocuous banner ad promoting vitamin supplements may seem harmless, but it could be luring you into unsuspectingly downloading malware onto your mobile device.

Malicious mobile ads behave just like other phishing schemes, setting a well-cloaked trap that tricks users into putting their devices and personal data in danger. While Android is still the most targeted by dangerous mobile ads, iOS devices are also susceptible to infection. To protect your smartphone and tablet from the perils of these so called “malvertisements,” always avoid clicking on ads when browsing the web or using apps, no matter how enticing the deal. Additionally, keep your browser and operating system up to date and always check for suspicious looking URLs in the event you do follow an ad to a suspicious appearing website.

iOS Keylogger

While mobile devices running on iOS are still relatively safe from the majority of mobile threats, the risks to users are beginning to increase. One of the most recent incidents centered around a coding error in Apple’s iOS and OSX operating systems that weakened basic security features protecting user data from hackers. Apple issued a patch to fix the issue, served through the iOS version 7.0.6 and OS X version 10.9.2 updates.

However, a new possible ‘keylogger’ flaw has been discovered that could allow hackers to see everything you do on your iPhone. A keylogger, or keystroke logger, is software that tracks the keystrokes performed on your computer or mobile device—usually with the intent to steal account information, credit card numbers, and other private data. Security researchers claim that a flaw in the way certain apps run while in the background, can be utilized to monitor what you type onto the touchscreen. Conversely, while this flaw is definitely concerning, it would require advanced hacking skills to exploit and hasn’t been recorded in action yet.

In the meantime, the best way to protect your Apple devices and information from a potential keylogger threat is to frequently turn off any apps running in the background, in addition to avoiding public Wi-Fi networks and having security software installed on your device.

Choose your Android apps wisely

It is still early in 2014, but recent reports are already showing an alarming prevalence of threats targeting the Google operating system. Android devices still hold market share over competitors like iOS and Windows, which explains one reason criminals still favor these devices.

More often than not, these threats are delivered through bad mobile apps, masquerading as something authentic. The majority of these treacherous apps can be found on less-than-reputable third-party app stores, which reiterates the importance of sticking to legitimate providers like the Google Play and Amazon App stores.  Aside from outright malicious apps, our recent McAfee Mobile Security Report: February 2014 also discovered that many normal apps are collecting and sharing too much user information. Not surprisingly, the link between the worst over-sharing offenders and malware was pretty clear, with malicious apps often tracking the most sensitive data.

It can seem like there is a never-ending stream of threats targeting mobile devices, but through user awareness and security, we can successfully weather the storm. Keep your mobile devices and personal information safe with tools like McAfee® Mobile Security, free for Android and iOS.

To stay up to date on the latest in mobile privacy and security, follow us on Twitter at @McAfeeConsumer and Like us on Facebook and share your thoughts with us!

lianne-caetano

The post Mobile Malware in 2014 appeared first on McAfee Blogs.

What small businesses need to know about trading safely online

While the internet has helped level the playing field for smaller firms, and enabled them to take on their larger competitors, some consumers are still wary of the dangers of using it, especially where money is involved.

For example, new government statistics show that six in 10 online shoppers prefer to buy from established companies, which they perceived to be safer and more secure.

The good news is that more than eight in 10 would happily shop online with an SME that could prove its security credentials. The opportunities are there, but the onus is on the small business to prove that the customer is protected from cybercrime.

This is a two-stage process. You need to show your site is safe, but before that you will need to ensure that it is.

Stephen Robinson, managing director of Xyone Cyber Security, explains: “As a very first step, it is advisable to carry out penetration testing or website monitoring to ensure that your site is essentially safe to use.”

“Pen” testing is a method of evaluating computer and network security by simulating attacks on computer systems or networks using external and internal methods of attack. Website monitoring services are less detailed but are cheaper and can be done on a monthly basis to keep a small business safe from new attack methods as they occur.

“Without any of this, businesses do not know whether their websites currently have any vulnerabilities which could be exploited by hackers and therefore are not safe for use to take details or payment,” says Robinson.

Once this is in place, you have to ensure that a customer’s payment details are secure. This is the headline-grabber, and the part that most consumers are most wary of.

Robinson says: “Any online retailer must be PCI compliant to take payments by card. There are different levels of compliance required depending on a series of criteria, but this is a requirement for all organisations receiving payment by card.”

Whilst PCI compliance isn’t law, penalties for breaking the code – set by the major credit card companies – can be hefty and the fines levied could cost you much more than your reputation.

PCI compliance affects how you and your staff handle card details within your organisation so that they can’t be accessed by outside organisations or used fraudulently.

Robinson adds: “To ensure card details reach you securely, companies should ensure their websites obtain and maintain an SSL certificate (secure socket layer) to demonstrate safe trading and also enhance customer trust”

While this may be starting to sound complex and even daunting, there are a number of platforms that businesses can install which handle payments on their behalf. This places the burden on their shoulders, for a fee, and not yours.

“Use a secure trading merchant such as PayPal, SagePay and Verified by Visa or Mastercard SecureCode as these are run via a secure server and encrypt any consumer data,” says Robinson.

But there is plenty more than just credit card data at risk. Names and addresses are valuable, and mailing lists can be stolen and sold to criminals on the black market.

Keep all customer data private, unless they give you permission otherwise. Keep it encrypted and password-secured on your own systems. If you’re moving into the cloud, the burden of keeping that data safe is still on you.

Robinson says: “If you use cloud or shared hosting services, you should be aware of where your data is stored and be satisfied that the hosting provider you use is ISO:27001 compliant, or at least can demonstrate that they have security measures in place.”

And once all your technical systems are set, ensure every single staff member understands them and behaves within the rules. Much of this is behind-the-scenes, however, and a large part of the problem is public perception. Many believe that smaller firms are inherently more at risk of cybercrime. So how do you combat this?

Nasir Kothia, business development director at eBusiness UK, says: “When you hear of a new company for the first time, you look them up on Google and read the reviews.”

Testimonials on your site are great, but using a third-party review site can really help a firm’s credibility. Sites such as TrustPilot and TrustedReviews ask for honest feedback about your business and its products. These show up on Google searches for your business name, and can be included on your own site, so don’t be shy about asking your customers to post reviews there.

Kothia has also used well-established offers sites to help build credibility for sites. “Putting a deal on Wowcher or MoneySuperMarket will give you a real credibility boost by the association with a household name. It’s a fantastic marketing tool, too.”

And don’t forget the simple touches. “Include all the relevant security logos on your site, and make it clear how customers can get in touch,” says Kothia. “People don’t want to send money to a business they can’t contact if something goes wrong.”

Make sure you rank well on Google and fully engage with social media, adds Kothia.

“Look at ao.com as a great example of how to use the social community to build a reputation,” says Kothia. “There is a very prominent box on the homepage which shows that the company has more than 1.4 million likes on Facebook. That makes it hard to doubt that they are a quality company to deal with.

“Despite the statistics, I don’t actually think there is a reluctance to buy from SMEs. I think it’s more a reluctance from sites that ‘don’t look right’,” says Kothia.

“Shoppers largely just want the best product at the best price. Online customers are there if an SME wants them. If this wasn’t the case then there would be no online success stories, but in reality there are many.”

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox

How can small businesses keep safe online? Share your advice

Do you have a good tip you can share with other SMEs on how they can protect their business from hackers? Or perhaps you want to improve your cyber security but are not sure where to start?

We’re launching a Twitter Challenge to collect and share your advice on how businesses can keep their information safe online. It could be that you recommend outsourcing this part of your business, or maybe you’ve found a good way of raising awareness of cybercrime among your staff. What has worked for you? Tweet your thoughts, comments, tips and experiences using the hashtag #smallbizsecurity and we will create a Storify from your tweets so others can benefit from your insight.

There’s also the opportunity to get support from other small business owners by tweeting your questions. In a poll of SMEs by the Guardian Small Business Network earlier this year, 47% said they felt they had not done enough to protect their company from cybercrime because they hadn’t had the time to look into it. If this is you, now’s your chance to learn how to make your business secure. Tweet your questions using #smallbizsecurity and we’ll see if our community of SMEs can help answer them for you.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.

Sponsored content

This content has been sponsored by BIS, whose brand it displays. All content is editorially independent.