For the past five years, security experts at ThreatMetrix, a provider of online security, device identification and malware detection, have been keeping watchful eyes on malware.
Based on attacks they've seen hit more than 700 corporate customers from various parts of the globe, ThreatMetrix' team has come up with a list of chief malware-related issues for the year ahead.
Some of them are obvious concerns, like increased malware attacks against mobile applications. Consumer adoption of mobile devices for a wider variety of uses, including mobile banking and commerce, is getting fraudsters' attention.
But ThreatMetrix notes some less obvious concerns, including the potential difficulties posed by the higher level of security in Apple's iOS platform.
ThreatMetrix analyzed five years of malware research to devise these top malware trends and recommendations for the year ahead:
No. 1: Mobile: The New Target
Malware is quickly evolving, says Andreas Baumhof, ThreatMetrix' chief technology officer and co-founder of TrustDefender, acquired by ThreatMetrix and folded into its anti-malware and device identification suite.
Downloadable apps, such as those for Android smart phones, have already been targeted.
But it's not just open-source platforms that necessarily raise the greatest concerns. Some of the more protected operating systems, such as Apple's iOS, are worrisome because they are too secure, Baumhof contends.
"If I want to install anything on the iPhone, like malware, it's really hard," Baumhof says. "The trouble is that Apple prevents security companies from providing security for the iPhone. So if the bad guys find a vulnerability and we don't know how to stop it, it will be a big mess."
Although the lack of countermeasures to address those vulnerabilities poses risks, companies cannot afford to limit the types of mobile platforms and devices they support.
"A bank can't really say, 'We won't support Android or Apple,'" Baumhof says. "Android, for instance, has a huge user base."
To fight the growing mobile malware trend, the only option organizations have is to ensure they control their exposure. Pointing to mobile banking, Baumhof says financial institutions need to gather information about the devices customers and members use to access online banking accounts. They also need to monitor customer behavior when accounts are accessed via those mobile devices in the same way they monitor behavior on other banking channels.
"If the financial institution sees increased risk, they can restrict transactions or limit transactions," he says. "But it's not an option, I don't think, to limit the devices they allow consumers to use to access accounts."
No. 2: Social Networks Spread Trojans
Social networks have proven to be perfect venues for the spread of Trojans and other malicious software.
"Twitter, in particular, is a worry," Baumhof says. "We have seen a number of high-profile accounts that have been taken over, and once that happens, it's very easy for the malware to spread."
A Twitter account with 1 million followers is attractive; fraudsters can send malicious links to every follower once the account is taken over. And followers are more likely to click the links because they trust the source. It's a common threat on Facebook and LinkedIn as well.
"The problem with all the social networking sites is the trust," Baumhof says. "If we are connected with someone on LinkedIn, Twitter or Facebook, then we trust what they send us."
Social networks also have facilitated the spread of so-called drive-by Trojans or downloads.
In a drive-by attack, a computer gets infected just by visiting a website that contains malicious code. When links to infected sites are sent out via social networks, the results can be catastrophic.
Baumhof notes that in 2010, a compromised news site in the Netherlands led to hundreds of thousands of individuals being infected by the Carberp Trojan.
Search-engine poisoning is another worry. Though not dependent on social networks for distribution, it, too, relies on user behavior.
"It preys on the same things," Baumhof says. "If there is a topical event that many people are searching for on Google, then the bad guys will go in and find pictures linked to that topic and infect them with malware." When the pictures are viewed, the systems are infected.
"There was a giant sinkhole in Germany, which made worldwide news, and if you would search for it on Google and click on the image, you'd get infected fully automatically," he says.
Search Engine Poisoning: Examples from Germany
The best defense is education; fighting socially engineered attacks with technology alone is never the answer. The security industry has been spreading that message for the last couple of years.
But Baumhof says organizations also cannot underestimate the need for consistent updating of patches and anti-virus programs. Doing so offers additional layers of security, and organizations need to ensure employees and customers are taking steps to keep their systems up-to-date and secure.
No. 3: More Man-in-the-Browser Attacks
Man-in-the-browser attacks, which leverage website pop-ups, are increasing, and they're posing worrisome risks for financial institutions, in particular.
"The bad guys can train the Trojan for the particular institution," he says. "These sophisticated attacks don't happen every day, but when they do happen, they are successful."
Baumhof recommends two ways to prevent these attacks. For one, banking institutions need to look at the log-in information on the server side."Authentication plays a role here," he says. "Banks need to look at the user. Was the user authenticated, and then was the device identified?" The more information the bank has, the more intelligence it can put behind its process.
Second, banks need to monitor for transaction anomalies. "So, if someone tries to log in to your bank account, which is here in the U.S., but the device is overseas and pretending to be in the U.S., there are solutions that can identify those anomalies and flag them for increased risk of fraud."
No. 4: Dealing With BYOD Growth
The trend toward enabling employees to use personally-owned devices for business purposes is creating new security challenges. Any device that a company does not control but that connects to corporate databases and servers is a security risk.
Organizations can minimize bring-your-own-device risks by limiting user access to corporate information. But they also need to use strong fraud detection systems to detect when databases and servers are accessed remotely, and, ultimately, retrace fraud events tied to malware, should they occur.
Fighting malware requires enterprise-wide collaboration. "The security problem becomes a fraud problem, because everything is so connected, and many organizations have not caught up with this trend," Baumhof says.