Recent articles, such as that from Davey Winder [PC Pro, 23rd Feb 2012] and reports from security research companies, including a report from Avast [Avast, 2012], are highlighting that cyber-criminals are now targeting children as part of their attack vectors in order to get malware onto computers. This posting looks at why this should be of concern to parents.
If we examine the aims of a cyber-criminal, one of their aims would be to get malware installed on to the victim’s machine as silently as possible so that the victim would not be aware of the installation and be unable to take action to remove or neutralise the malware. The aim of the malware could be to recruit the machine into a botnet, steal information from the victim or possibly even both activities.
In order to do a silent installation, a cyber-criminal will need to either try to get the malware to install itself silently by exploiting vulnerabilities on the system or make use of a software feature to perform a silent update. An additional method is to use trickery to get the user of the targeted device to do something that will give the necessary permission for the install without them realising what they have done. The final method to get malware installed is to use a Trojan, where a wanted application or utility, such as a game has an unwanted companion in the form of the malware.
A feature of malware distribution techniques over the last few years has been the move from targeting adult sites to compromising main stream sites with drive by download malware or adding links that redirect surfers to a malware infected site.
The adult user should be more wary of the risks of internet surfing which should make them a harder target, however, young children are more vulnerable as they are not aware of the risks of using a computer. The risk of young children being exploited online has increased as they are now being allowed access to computers and the internet at an increasingly younger age, the Internet is taking over from the TV as the electronic nanny in many households as computers, games consoles etc. are occupying children while parents get on with something else.
The targeting of young children’s use of the internet is going to bypass controls that older and hopefully more experienced and wary user will be following. The malware distributors are increasing the likelihood of placing malware on a computer by taking advantage of naivety of children, especially in the pre-teen generation.
The targeting of children is mainly in the form of drive by downloads where the cybercriminal has targeted the web sites that children are likely to use. The targeting is aimed at pre-school age upwards with games designed to be attractive to young children, BitDefender Online Threats Lab, one of the security vendors doing research in this area of cybercrime, reported recently on a range of Flash-based games that where colourful and attractive to young children which came complete with a trojan. They even found one application where the very act of swiping the paintbrush over an online pet to change the colour of the virtual animal, which is a common action in most pre-school games, was enough to trigger redirection to an infected site.
For slightly older children, the attackers are using social media for phishing attacks by targeting adverts and postings that are attractive and attention grabbing to children and trying to get them to click onto affected sites so that malware can be installed.
In addition to the targeting of children as described there has been an increase in the number of leisure sites been attacked. In particular online game sites have attracted a number of attacks, since the attack on Sony online sites was reported in April 2011 a number of other games/gaming sites have been targeted and player details stolen.
For a parent or guardian they need to be aware that unintentionally their children could be a risk to them losing credit card and other identity information as well as computers and other devices becoming infected and possibly part of a botnet and is not the only risk to their financial and identity information, there is increasing evidence showing that parents are giving their credit and debit card details to their children and this will make the phishing for and harvesting of credit/debit card data easier as the naivety of children is easy to take advantage of.
At a seminar (EEESTA seminar 2011, Professor Sasse) one of the Professor Sasse told of a respondent to a survey about “chip n pin” that was very enthusiastic about it, as she could give her card and pin to her children and send them to the shops. In additionally to a number of studies that have been conducted on this, I have personally know were a very trusting parent has given their credit card details to children to make online purchases via iTunes etc. or have setup accounts with their card details for the children to use. With younger and naive children having accessing to the financial details of their parents I would expect to see an increase phishing and malware targeting children as they are the weakest link in the security chain.
Additionally I would expect banks and other financial institutions are going to be looking at this phenomenon, in particular when it comes to the terms and conditions about credit card fraud and losses. I would expect to see investigations of fraud and losses looking at whether children had access to credit card details to determine if the card holder has meet the terms and conditions of their credit card/bank contract when deciding whether to pay out to cover losses.
If we examine the aims of a cyber-criminal, one of their aims would be to get malware installed on to the victim’s machine as silently as possible so that the victim would not be aware of the installation and be unable to take action to remove or neutralise the malware. The aim of the malware could be to recruit the machine into a botnet, steal information from the victim or possibly even both activities.
In order to do a silent installation, a cyber-criminal will need to either try to get the malware to install itself silently by exploiting vulnerabilities on the system or make use of a software feature to perform a silent update. An additional method is to use trickery to get the user of the targeted device to do something that will give the necessary permission for the install without them realising what they have done. The final method to get malware installed is to use a Trojan, where a wanted application or utility, such as a game has an unwanted companion in the form of the malware.
A feature of malware distribution techniques over the last few years has been the move from targeting adult sites to compromising main stream sites with drive by download malware or adding links that redirect surfers to a malware infected site.
The adult user should be more wary of the risks of internet surfing which should make them a harder target, however, young children are more vulnerable as they are not aware of the risks of using a computer. The risk of young children being exploited online has increased as they are now being allowed access to computers and the internet at an increasingly younger age, the Internet is taking over from the TV as the electronic nanny in many households as computers, games consoles etc. are occupying children while parents get on with something else.
The targeting of young children’s use of the internet is going to bypass controls that older and hopefully more experienced and wary user will be following. The malware distributors are increasing the likelihood of placing malware on a computer by taking advantage of naivety of children, especially in the pre-teen generation.
The targeting of children is mainly in the form of drive by downloads where the cybercriminal has targeted the web sites that children are likely to use. The targeting is aimed at pre-school age upwards with games designed to be attractive to young children, BitDefender Online Threats Lab, one of the security vendors doing research in this area of cybercrime, reported recently on a range of Flash-based games that where colourful and attractive to young children which came complete with a trojan. They even found one application where the very act of swiping the paintbrush over an online pet to change the colour of the virtual animal, which is a common action in most pre-school games, was enough to trigger redirection to an infected site.
For slightly older children, the attackers are using social media for phishing attacks by targeting adverts and postings that are attractive and attention grabbing to children and trying to get them to click onto affected sites so that malware can be installed.
In addition to the targeting of children as described there has been an increase in the number of leisure sites been attacked. In particular online game sites have attracted a number of attacks, since the attack on Sony online sites was reported in April 2011 a number of other games/gaming sites have been targeted and player details stolen.
- June 2011, EVE Online, Minecraft Cyber Attacks
- June 2011, Sega
- Nov 2011, valve steam
- Dec 2011, Square enix
As to why children and leisure sites are being target all if we look at an urban legend that states that when William "Willie" Sutton, a prolific U.S. bank robber, who was asked why he robbed banks his reported reply was “That is where the money is.” This line has been used to describe why cybercrime has been increasing as that is where the money is now; there is also less risk of being caught in targeting online shops, banks etc. then physically holding up a bank. With online leisure activities such as gaming, gambling and betting have taken off in popularity, we have to be aware of not only the attacks on online banking but also attacks on both our own and our children’s leisure interests and activities.
At a seminar (EEESTA seminar 2011, Professor Sasse) one of the Professor Sasse told of a respondent to a survey about “chip n pin” that was very enthusiastic about it, as she could give her card and pin to her children and send them to the shops. In additionally to a number of studies that have been conducted on this, I have personally know were a very trusting parent has given their credit card details to children to make online purchases via iTunes etc. or have setup accounts with their card details for the children to use. With younger and naive children having accessing to the financial details of their parents I would expect to see an increase phishing and malware targeting children as they are the weakest link in the security chain.
Additionally I would expect banks and other financial institutions are going to be looking at this phenomenon, in particular when it comes to the terms and conditions about credit card fraud and losses. I would expect to see investigations of fraud and losses looking at whether children had access to credit card details to determine if the card holder has meet the terms and conditions of their credit card/bank contract when deciding whether to pay out to cover losses.
No comments:
Post a Comment