Spreading a Virus

As cell phones become more like portable computers, they are also becoming vulnerable to the same threats that affect computers, including viruses.

Many computer viruses are designed to propagate themselves by making an infected machine forward the malicious software to other computers by e-mail.

Security vendors have recently spotted viruses that target mobile phones and are designed to spread through text messages instead of e-mail, according to an article Computerworld published July 16.

And like other viruses, these cell phone bugs can potentially steal data stored on mobile phones and send it to hackers.

The malicious software, known as "Sexy Space" and "Transmitter," infects phones by prompting users to click a link in a text message, the article said. According to the security software vendor Trend Micro Inc., it is the first piece of malicious software for mobile devices that is capable of transmitting text messages on its own.

 


 

Researchers have identified another way that viruses can spread: updating users' Web sites.

Some malicious software scours computers not just for bank passwords, but also for passwords used to make changes to Web sites, The Washington Post's Brian Krebs reported in his July 16 "Security Fix" column. The viruses can then infect the sites with code designed to spread the bug to people who visit them.

Krebs called this "one of the most effective ways" that malicious software can spread. It maximizes "the chances that infected files will be shared with and downloaded onto new host systems," he wrote.

According to the security Web site StopBadware.org, the practice is becoming more common, Krebs wrote. StopBadware said that to fight the method, administrators should instruct the software they use to upload Web pages not to store their passwords. They should also scan HTML files for viruses, it said.

Business Frauds

Online fraudsters are focusing more attention on the bank accounts of businesses, which tend to keep larger balances than consumers and typically have less regulatory protection.

The growth in attacks on business accounts is "exposing a poorly kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud," The Washington Post's Brian Krebs reported Monday.

Krebs described several recent scams that drained significant sums from businesses and government agencies. For example, the Western Beaver School District, a suburb of Pittsburgh, has filed suit against ESB Financial Corp. after more than $700,000 was transferred from its account to 42 people in 74 transactions over two days.

The school district has alleged that the banking company was able to reverse about $263,000 of the charges, but has refused to cover the remaining loss of more than $441,000.

In another case, hackers planted malicious software on the computers of Slack Auto Parts in Gainesville, Ga., gained access to the company's bank accounts and then were able to siphon out nearly $75,000 in nine transfers this month.

One federal law enforcement source told Krebs that he was familiar with several investigations of similar incidents, and the recent wave of attacks against businesses and public agencies is "only the very tip of the iceberg."

Avivah Litan, a vice president at the market research firm Gartner Inc., said that banks are required, under Regulation E, to cover almost all of consumers' losses to fraud, but business accounts have far less protection.

She said that many banks have focused their antifraud efforts on transaction monitoring technology and one-time passwords, and the automated clearing house systems used to transfer funds are often less secure.

"ACH is one of the most vulnerable spots in the system, and very few banks have ACH fraud detection," Litan said.

"It's a really big deal because the rights of businesses to get their money back" after an ACH fraud "are weak," she said. "If I was a small business banking online right now, I'd switch my account from a business account to a personal account. There are fewer features available, but it's a lot safer."

Exposures

The Twitter Inc. employee whose e-mail account was targeted by hackers may have been left vulnerable by Twitter's own service.

The hacker, who also gained access to the e-mail account of the wife of Twitter's chief executive, Evan Williams, used that access to nab internal documents that were then sent to the tech news blog TechCrunch, The New York Times reported July 16.

The hacker was able to access the employee's account by answering the personal questions Google Inc.'s Gmail asks people when they have forgotten their password.

By gaining access to even one employee's Google account, the hacker was also able to gain access to information Twitter shares internally through Google's Google Apps servers.

"A hacker who breaks into one person's account can access information shared by friends, family members or colleagues, which is what happened at Twitter," the Times said. Twitter co-founder Biz Stone told the Times that the breach "speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Chris King, the director of product marketing for the firewall vendor Palo Alto Networks, told the Times that the hacker may have guessed the answers to the employee's personal questions by seeing what the employee wrote on Twitter. "A lot of the Twitter users are pretty much living their lives in public," King said. "If you broadcast all your details about what your dog's name is and what your hometown is, it's not that hard to figure out a password."

 


 

Johnson County, Kan., mistakenly e-mailed the names and Social Security numbers of 8,600 people to 49 county employees, The Kansas City Star reported July 16.

The information, which was taken from the county's payroll database, was sent to the employees July 1 as an e-mail attachment. When county officials realized their mistake, they instructed the recipients to delete the data and followed up to make sure that it had not been reproduced, the paper said. The county disclosed the incident July 16, and said there was little chance the information was misused.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.