Mobile technology means new fraud techniques
Scammers scour for ways to rip you off with the latest gadgetry
What evolves almost faster than technology? Nefarious ways
to steal money from people using that technology.
The hot new tactics among cyberthieves: QR code fraud,
mobile-technology malware and email scams powered by gift cards, not credit
cards. That is, for now. Cyber criminals are like sports dopers; it's their
business to stay a step ahead of the game. "We beat them, they have a new
variant within 48 hours," says Nick Nascimento, owner of aGeek2Go, a San Diego-based information
and service company.
"These aren't kids in a garage. They are people in high-rises driving nicer cars than we do," Nascimento says. "The sophistication, the sheer masses of bandwidth -- this is big-time
Nascimento and others explain three hot cybercrime
strategies, and how to avoid them.
1. QR Code Fraud: QR codes are those black-and-white squares
that look like modern art; in reality they are condensed URLs. When scanned,
they lead users to a Web page. Marketers love them because they're instant and
accurate, says Tony Anscombe, senior security analyst in the San Francisco
office of AVG, an Amsterdam-based security software firm. "It's not relying on
me remembering anything or typing anything," Anscombe says.
QR codes become fraudulent two ways. The first is when
they're designed to contain malware. When the user scans the code, the malware
loads -- in the background, invisibly -- onto the user's mobile phone. When users
open a mobile wallet, or access their bank information with the phone, the
malware captures that information and relays it to the creator of the nasty QR
code, who then uses it to steal from bank accounts and make fraudulent
credit card charges.
Fraudulent QR codes can also lead users to a legitimate-looking
URL that asks for permission to send texts (SMS messages). Users who consent
begin getting premium texts, which show up as 50-cent, $1 or other small
charges on a cellphone bill, a charge most users wouldn't notice, Anscombe
says. Those small charges, spread over hundreds or thousands of cellphone
bills, add up to big money for the criminals.
How to avoid it: First, download a QR code security app;
makers include AVG Mobilation, Norton Mobile Security and Lookout Mobile
Security. The apps will let the user know if the QR code will lead to a
malicious site. Second, resist the urge to scan any random QR code you come across,
particularly if the code is on a poster or looks pasted-on. Thieves circulate
these codes by developing them, printing them and sticking them in easy-to-see
places, Anscombe says. If you absolutely must play with QR codes, do so at
places of commerce you trust.
2. The FBI scam. This scam, for desktop computers, arrives
via an email that looks like it's from the FBI. The scam is new because it
relies on gift cards, not credit cards, to make a profit. This is how it works:
The email -- which looks startlingly real, Nascimento says -- tells the
recipient that they've been the victim of malware, then asks for payment to
erase the malware from their computer. The page helpfully suggests buying a
gift card at CVS or another chain store as payment. Users then enter the
gift-card number into an email; the thieves at the other end take the amount
and supposedly free the user from the malware.
The trick? The transaction with the gift card actually
places malware on your desktop, and usually, professional help is needed to
wipe it clean, Nascimento says.
How to avoid it: "Ignore it," says Nascimento, adding that
the scam first came to attention about four months ago, and has since morphed
four times. "It's very hard to get out of machines," he says.
These aren't kids in a garage. They are people in high-rises driving nicer cars than we do. The sophistication, the sheer masses of bandwidth -- this is big-time
3. Mobile malware. Fake apps that download viruses and
malware onto smartphones -- Android models are particularly susceptible -- via
text messages and emails. When users open the email, it begins sending texts
in the background that ring up charges on the user's cellphone bill. Others
send email messages; when the user clicks on the link in the email, malware
downloads and begins downloading personal information -- including anything stored in a
virtual wallet -- from the user. Some ask for permission to access a contact
list and then send the malware to the user's friends and family as well.
Worse, the malware will leap to a personal computer or
tablet when the host -- the mobile phone -- is attached to that device to charge
or port information. "Plug it into a
corporate network, and you've just put the entire corporation at risk," says
Stan Stahl, founder at Citadel Information Group Inc., a Los Angeles
firm online security consultancy.
How to avoid it: Treat your cellphone like the personal
computer it is, Stahl advises. First, download apps only from trusted sources --
the Apple site for iPhones, the Google site for Androids. (In late October,
T-mobile announced it would offer Android users free security apps and load
2013 models of phones with security devices).
Second, pay attention when installing an app.
"It should tell you exactly what it's going to do," Stahl says. Keep an eye out
for unusual requests; for instance, if a map app
asks to access a contact list. If it does, "say no and think about whether you
want to download it," Stahl says.
Third, think twice about "jailbreaking" an iPhone, that is,
altering it to free it from the iOS operating system and thus open it to apps
from other sources. Jailbroken iPhones are as susceptible to viruses as a
newborn infant: "All bets are off," Stahl says.
Overall, "users are the last line of defense," Stahl says,
noting that the mobile security applications don't work 100 percent of the
time. "Exercise some common sense about what you're doing."
See related: 8 tips to stop banking app fraud, Cellphones become fraud-fighting tools, Get out of debt smartphone apps
Published: October 30, 2012