Mobile Threats Are Increasing But Are Still Nothing Compared To PC Crime
The latest Symantec Internet Security Threat Report describes a dangerous world where threats involving mobile computing, such as identity theft and malware, are increasing, but still a small minority of the total.
Almost all security vendors note steady increases in mobile malware, as does Symantec. As you can see from the graph below, growth took off in 2011, but the overall numbers are still small.
The types of malware found reveal that criminals appear to be adapting to the new environment. See the graph below:
The two biggest categories of malware spy on the device and the user. The third makes money by sending text messages to premium rate numbers set up by the attacker. When your phone calls or texts these numbers, your account is charged and the owner of the number paid. Typically attackers will charge a small number, perhaps $10, once a month on the theory that you won't notice it. According the Symantec report, the story of one gang earned $1 million/year using this technique. The criminals don't need a huge number of phones to do it.
Most of the remaining threats are more like PC malware. As with other areas of computer crime, mobile hackers move around from one technique to another looking for what will make them money.
Besides making a quick dollar, the more serious threat occurs when criminals use smartphones as a way to hijack data on the network. According to the report, Symantec saw examples of attackers using their control of smart phones to access data on enterprise networks to which they were connected. Indeed, the point of most mobile malware is to steal information. When the attacker has access to company data the threat becomes far more serious. This is the point where BYOD (Bring Your Own Device) becomes a disaster to the company.
Of the 187 million compromised identities found by Symantec in 2011, about 10% (18.5 million) were as a result of a lost device. This is clearly a big number, but it pales in comparison to the identity theft impact of network intrusions of a more conventional sort, such as by compromising a PC on the network.
Lost and stolen devices are a big problem and an up-and-comer, but it's not scalable from the criminal's point of view. You may be able to break into numerous databases and compromise thousands of identities from the comfort of your own home, but stealing a large number of smartphones is hard work. Symantec did a test where they purposely "lost" smartphones running monitoring software and then tracked the phones to see what happened to them. No, people who found the phones didn't look up "home" and call to return it. Instead, the test found that someone looked at private data on 96% of the phones and 50% of the phones were never recovered.
Computer criminals are a surprisingly conservative bunch, and they tend to stick with what they know works. Consumers have been much more adventurous by comparison, rapidly adopting mobile technologies and cloud services. The bad guys are working on these fronts, but it's not mainstream and may not be for some times.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.