As mobile phones become increasingly vital tools for corporate and social communication, savvy and malicious hackers are finding new ways to exploit both the security holes of devices as well as the, well, gullibility of some end-users.
Case in point: McAfee today announced a new type of phishing attack. Called "SMiShing," a marriage of phishing and SMS, this attack sends a message to the phones of unsuspecting users reading, "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order," writes McAfee Mobile Threat Researcher David Rayhawk in the McAfee Avert Labs blog.
Included in the text message is a URL that some unsuspecting users will very likely click. From there, Rayhawk writes:
"[Users] are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challenging to know the current scope of the problem."
Meanwhile, CBS recently announced plans to push TV clips to mobile devices via Bluetooth. The idea is, a user would see a billboard at Grand Central Station in New York City urging him or her to enable Bluetooth. Doing so would let the user connect with a Bluetooth system on the billboard and download video files.
Clever? Certainly -- perhaps from a marketing perspective. But urging users to enable Bluetooth in a public place like that could result in leaving them susceptible to a virus like Cabir.
Mobile insecurity shouldn't just concern individuals who fear for their phone bills, of course. Mobile devices can be overlooked and poorly protected gateways to your enterprise network.
McAfee's Rayhawk urges enterprises to revisit (or create, in some cases) mobile security policies: "Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now."