Sophos Tracks New Mobile Web Site Hacks

 
 
By Matthew Hines  |  Posted 2008-06-30 Print this article Print
 
 
 
 
 
 
 

Researchers at endpoint security specialist Sophos are warning of a new set of attacks targeted at .MOBI Web pages.

The SQL threats highlighted in the research are interesting because they represent new innovation in the world of mobile attacks, which have yet to materialize to the extent that experts once predicted they would, but which appear to be growing slowly in popularity and complexity.

In following the activity of a fairly common and widespread set of Trojan iFrame attacks (identified by Sophos as Troj/Iframe-AG) researchers with the company (specifically "Pob") spotted the use of new .MOBI TLD domains.

The .MOBI domains are the top-level domains assigned by ICANN (Internet Corporation for Assigned Names and Numbers) for use on sites specifically designed to be accessed by handheld devices.

Sophos identified the affected sites as legitimate, so it looks as if the popular practice of hacking sites to infect unsuspecting users has segued from traditional PCs on over to the mobile world. Even worse, the sites that the attackers attempt to push people's mobile browsers toward through the scam appear to be associated with fake anti-virus downloads, giving the attacks an even more dangerous bent.

The researchers said upon visiting the affected .MOBI pages "the root of each site attempted to load a script 'AD.JS'. This in turn attempted to load another web site -- a fake anti-virus install site."

After pretending to carry out a fake virus scan, the redirect sites warn users that their device has been infected with a range of malware and adware programs, specifically:

Trojan.Bakloma.A

Win32.Gattman.A

Trojan.Zapchas.F

JS.Blackworm.A

Trojan.Tibs.E

Win32.Netsky.P@mm

Trojan.Winsys

Trackware.Adctech2006

Downloader.TrafficSector

Adware.Roings

Upon warning the user, the fake AV sites then push the person to download and run an executable file (installer.exe) that Sophos said is actually a malware program (Mal/Packer). If the program is run, it installs another malware attack named Troj/FakeAV-AA.

Sophos did not report whether the attacks could successfully corrupt handhelds, or merely infect PCs that somehow end up at the affected sites.

The approach would hardly seem innovative if not for the use of the .MOBI domains, but all things considered, it does appear to validate the notion that mobile security concerns will essentially parallel those that have long been associated with PCs.

And while some experts contend that mobile malware will never become as prolific as PC-based attacks, based on the sheer number of device operating systems in use and the ability of carriers to control the applications that users can download onto their devices, projects aimed at fostering a more open development environment -- such as Google's Android effort -- could create a bigger opportunity for the bad guys.

As it is, some people are already looking at the increasing popularity of "jailbreaking" phones, or altering their software to allow for the use of unapproved programs, as another potential mobile malware breeding ground.

Only time will tell just how dangerous the mobile environment becomes, but something tells me that as long as there is a buck in it -- and with the rise of mobile-based micropayments and so on, you can imagine it will become a lucrative landscape with lots of high-profile targets -- people will figure out a way to get their hooks into it.

And with the combination of location-based services on these devices and the ability of criminals to potentially figure out where you are, things could get pretty scary.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel