Companies spend untold amounts to protect their brand names. And for good reason. According to Interbrand, the total intangible value of the world’s top 100 brands is more than $2 trillion. Unfortunately, cyber-criminals and hackers are also investing in corporate brands. They have found it useful to hide behind the reputation of leading brands— by poisoning their websites with malware, hijacking or copycatting mobile apps, and exploiting on-line ads – in order to commit fraud.
Since most corporate websites are believed to be secure, they make an ideal target for cyber-criminals that want to distribute malware. Primarily because the reputation of the company in question protects its webpages from being put on blacklists, and is trusted by visitors. Bad actors on the internet have copied a strategy used by predators on the Serengeti— they hang around “watering holes” to can catch the prey that comes to a website.
This “watering hole” technique is easily carried out because large corporate websites often generate countless special-purpose files or landing pages—and then leave them on-line long after they have finished serving their purpose. They are not monitored or maintained, and their security is certainly not updated, allowing vulnerabilities to persist and multiply. This enables hackers to exploit flaws and inject malicious code that infects visitors lured to the site through phishing or other techniques. Lulled by the site’s trusted name, they will come—and the brand reputation of the owner will suffer another hit.
Last year the nbc.com home page was compromised and used to exploit a Java browser vulnerability that installed the Citadel/Zeus online banking malware on victim’s machines. Meanwhile, in February attackers compromised the US Veterans of Foreign Wars’ website with malware believed to be targeting military service members to steal military intelligence.
The danger from hijacked mobile apps, on the other hand, arises the fact that these are often distributed through third-party app stores which have varying levels of security. At un-policed app stores hackers can hijack posted apps, and replace them with their own copies of the app.
Some cyber-criminals are simply interested in intercepting the purchase price of apps, which has no particular impact on a brand’s reputation. Others, meanwhile, repackage apps with malicious code. Often the infected apps don’t appear to work when downloaded—but malware is running in the background, posing untold potential damage to the reputation of the enterprise whose brand name it carries.
The code may collect identifying information on the user, including street addresses, e-mail addresses, phone numbers, and even GPS coordinates, for sale to ad and data brokers, violating the user’s privacy in the name of the company. Worse, the app may contain a key logger that gathers banking credentials, which let third-parties siphon the user’s accounts. The most common mobile app malware sends a text message to a premium rate phone number so that the user gets charged on the next phone bill—and has a written record to the damage cause by the abused brand’s app. In April, five wallpaper apps in the Google Play store – that are now no longer available – we found to be delivering a new piece of mobile Bitcoin-mining malware known as BadLepricon.
Then there’s “malvertisements”—malicious ads placed on legitimate websites. They look like real ads, but hackers and cyber-criminals use them to spread viruses and spyware, etc. Using hidden HTML frames, the ad can trigger an infection even if the user does not click on the ad. In January, Yahoo revealed that European users were served malicious advertisements that if clicked, directed them to websites that tried to install malicious software. Cyber-criminals may hack into legitimate sites and inject malicious code into existing banner ads. Or they may pose as a trusted company and place clean, legitimate ads on a site—and later replace them with infected ads, often over a weekend, when IT departments are not paying attention. After infecting a few million users, they then replace the infected ad with the original, clean ad, making their actions difficult to trace.
The fact that many ads are placed through third party networks makes it even more difficult to track down malvertising fraud. The multitude of layers within this supply chain puts security beyond the control of the Brand placing an ad and pretty much assures that, somewhere along the chain, there will be a weak link that a hacker can exploit.
Malvertisements are not a trivial issue. The Online Trust Alliance (OTA) estimates that nearly 10 billion ad impressions were compromised by malvertising in 2012. RiskIQ’s own web crawlers typically detect tens of thousands of malicious ads samples each day.
Since brand value accounts for nearly 75 percent of business value in the U.S., guarding against corporate identity theft is much more than a technology problem. More at http://www.riskiq.com/