This week at CES 2013, we announced our commitment to delivering innovative security solutions aimed at protecting a consumer’s entire digital life, reflecting the broad adoption and usage of personal devices. Together with Intel, we are redefining the consumer security experience with a focus on safeguarding consumer devices, securing personal data, and protecting identities online. This user-centric approach will deliver a comprehensive and valuable service offering that helps meet the evolving needs of consumers as they enjoy their digital lives anywhere, and from any device.

Key attributes of consumer-centric online security and safety include:

• Safeguarding Devices: Comprehensive protection for PCs and Macs, as well as mobile devices, such as smartphones and tablets. Increased security services will be available “cross-device” and in the cloud, enabling for consumers to utilize capabilities from any device at any time.
• Identity Protection: A user-centric approach to security incorporates solutions to protect identity and personal information from theft and misuse. Plus, safe access destinations and services on the Internet.
• Personal Data Security: Simplified security technologies that ensure personal data remains personal, whether it’s stored on a device or stored in the cloud.

Exclusive Beta Available to Consumer Partners
At CES 2013, McAfee partners will be able to preview the consumer benefits of our new personalized security solutions. This invite-only demonstration will take place at McAfee Central, located inside the Delmonico Steakhouse in the Venetian.

Follow us on Twitter at @McAfeeConsumer for more information on personalized consumer security, as well as the latest security news and announcements.

We found a couple of such toolkits on the Internet. They are also available for sale on various forums over the net.

Each tool performs a specific function. For example, the folder Pinterest Content Locker contains a couple of scripts to set up scams. This particular one is a scam technique in which victims visit the website and get a “content locked” message stating that they need to click on the “Pin It” button to unlock the content. Here is an example:

In the php code we can see the following:

The code contains an array of links and it randomly selects one to post on Pinterest. It also uses an “unlocked” cookie to check whether a user has already visited the webpage and clicked on the pin button.

The scam requires that a victim click on the “pin it” button before seeing the content of the web page:

The code then calls a function Clicked. This function opens a new window and takes the user to Pinterest for pinning the content. Then it calls another function Remove_Overlay:

This function sets the cookie “unlocked” with value =1 and expiration date as the current date plus one. This is done so the next time users open the same URL, they will not get the content-locked message.

The code also has the folder viral script, which contains a php file used to display various scams:

The image asks the user to click on the “pin it” button, which posts the URL to Pinterest. Then it asks the user to perform the final step, which leads to an attacker-defined survey URL.

The trick is to get victims to click on the “pin it” button before clicking on “Final Step.” If users first click Final Step, then they see this message:

Let’s look at the code of “Click Here”:

It has a link element with id=”linkos” and whose value is javascript:window.alert(“Please Complete Step 1”).

This value can be modified at runtime after the user has clicked on the “pin it” button, shown in the next image:

When a user clicks “pin it,” it calls the function “PopupCenter, which will post the link to Pinterest and call the function “RevealLink.” This function changes the value of “linkos” as follows:

Another template employs the preceding technique with a different GUI, which seems like the actual Pinterest site:

The template contains an executable named Pinterest Amazon Product Submitter. This is a bot that scrapes Amazon for products based on given keywords and then submits them to Pinterest.

When victims click on a Pinterest post they are redirected to the scammer’s site, which will contain a “redirect script” or “cloaker script” that will simply redirect users to Amazon with the scammer’s affiliate ID. Amazon does not see the referral as Pinterest but rather as the scammer’s custom page–and the scammer can earn money:

There is also a mass bit.ly link generator, which will generate random links for the scam’s URL:

The trick here is to use “?” at the end of the URL so that tool will add a random string after “?” and get different URLs from bit.ly. This technique makes it possible for an attacker to generate as many random URLs as needed, with all pointing to same location.

Another script, “Detecting Mobile Phone Visitors,” can check the user agent of the web browser and determine the device from which a user visits the site.

Depending upon the device, a user can be redirected to a variety of URLs. We have observed that in the case of mobile devices, the redirection often leads to pornographic images which, upon being clicked, open a phone dialer with premium calling numbers. In the case of nonmobile devices, the redirection often leads to various survey scams.

The toolkit also includes “Pinterest follower bot,” which can be used for mass following on Pinterest:

We also find a tool for making mass comments on Pinterest posts:

Another tool generates Pinterest invites:

And would you believe that these tools even come with well-written documentation?

Such toolkits make it very easy for scammers to start their own scam sites and become functional cybercriminals with a minimum of skills and time. They need only change a couple of simple things, such as URLs, and they are ready to go. Almost all these steps–from creating mass Pinterest accounts to mass liking, commenting, and posting–have been automated.

Most of these scams try to lure users with titles such as “get free gift card,””Shocking Video,” “you can not believe it,” etc.:

When users click on such URLs, they will be:

• Redirected to a survey scam, where scammers earn money when users complete surveys
• Redirected to Amazon or another site, where scammers can earn money by referral
• Led to premium calling numbers of mobile devices

Please follow these guidelines to stay safe:

• Never share your password with anyone. Such tools make it very easy to mass-comment or post from any account.
• If any web page asks you to “Pin It” before you can see the content, most likely it is a scam
• If any web page offers you a “free gift card” and redirects you to surveys, most likely it is a scam
• Be careful while clicking links that have catchy titles like “shocking video,” ”you will not believe it,” ”free give away,” etc. Most of the time, they lead to scams and trouble!

 This quote came from Andy Grove, Intel Co-founder and former CEO.  And, while he said this at an annual meeting in 1998, his philopsophy is timeless.  In my opinion, social networking is at the crux of this inflection point.  Enterprises recognize that they must begin to embrace social networking – with its extraordinary potential– but doing so has its own set of challenges.

 The Gen-Ys entering the workforce have been raised in an instant communication digital age. For them, social media is how they communicate now and how they expect to communicate in the future as business professionals. Corporations that have strict security policies tell me that their ability to hire fresh talent is difficult because they are competing with companies that have a more “open” social media policy.  

 On the flip side, many corporations are leveraging full-blown social media strategies to reach out to their customers. On my own personal Facebook account, I’ve “friended” a number of artists, as well as local and global companies I admire, and it’s evident that it’s one of the most cost effective means of communicating directly with a captive audience. So, doesn’t it seem ironic that the same companies that are using this medium to market their products are the same ones that are locking down their employees’ access to it?

 But let’s be fair.  The businesses that are limiting access to sites like Facebook, Twitter, and Linkedin are simply worried that too much information sharing will result in lost productivity, data leaks, and sometimes a diluted culture. But, even more concerning to IT security people is that the sites most visited by employees are malware magnets that have been exploited by hackers — stealing identities, distributing viruses, and sending spam.  And, the security risks are only getting worse.  

 So where’s the balance?  How do we inject fundamental change into a social fabric that has such strong fibers? I believe the solution is to allow corporations to embrace social media, while providing them with technology that allows them to monitor, or limit, its use. These technologies can also be leveraged to ensure that corporate sensitive information does not inadvertently (or purposefully) leak onto these open platforms.  The McAfee Cloud Security Platform is an option that integrates modules capable of protecting against the worst social networking has to offer, and may be the only way to make today’s security strategic inflection point a positive one.

 McAfee launched this platform last year to protect data to and from the cloud through the major traffic channels: Web, Email and Authentication/Identity – including social media platforms. We’ve continued to innovate and enhance the products included in this platform to secure businesses from growing online threats.  I encourage you to learn more about how the McAfee Cloud Security Platform can help you and your business be protected while allowing social networking to thrive.

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.
The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.
Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Download McAfee’s Threats Report: Fourth Quarter 2011.

OnStar offers “RemoteLink,” an application for the iPhone or Android, which allows Cadillac, Chevrolet, Buick, or GMC owners to view real-time data including fuel range, gallons of gas remaining, lifetime miles per gallon (MPG), lifetime mileage, remaining oil life, tire pressure, and account information. Chevrolet Volt owners can view their car’s electric range, electric miles, MPG, and the battery’s state of charge. Users can also use the application to remotely perform certain commands, such as unlocking doors.

While all this new technology provides us with convenience and useful information, it may also leave use open to risk. Researchers in San Francisco have been able to access a car’s central computer processor through an Internet-connected car alarm, and in Seattle, researchers “blacked out the make and model of a car that offered multiple pathways for hackers a thousand miles away to send out GPS coordinates, open the doors, and have a colleague drive away without a key in the ignition.” And a New Jersey man has developed an iPhone app that lets him unlock cars and start engines by voice.

As with most technological advances, functionality and form come well before security. But now that researchers have demonstrated the frightening vulnerabilities inherent in cars’ computers, automobile manufacturers are working with companies like McAfee to develop firewalls that will protect the latest high-tech vehicles from hackers and thieves.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

There are definite benefits these devices provide, but also significant risks, particularly when such devices are being handed to children. In his report “Letting Children be Children,” author Reg Bailey highlights a concern where nearly nine out of 10 parents surveyed agreed that “these days children are under pressure to grow up too quickly.” Invariably, some material available on the internet today gives children access to age-inappropriate information that should be blocked. A key recommendation to help solve this issue is to make it easier for parents to protect their children by blocking online adult and other age-restricted material.

Provision of such controls is one of the key activities of the UK Council for Child Internet Safety (UKCCIS), an initiative that we at McAfee are fully engaged in and support. However it is important to remember that whilst the provision of such controls is absolutely crucial, they are not the complete answer.

“Child internet safety is increasing in prominence and widening in complexity as the internet becomes more accessible to children,” said Parliamentary Under Secretary of State for Children, Tim Loughton. “We want to reduce children’s access to harmful and inappropriate content online and help parents choose what their children can see. Reg Bailey recommended the concept of ‘active choice’ – giving customers a choice at the point of purchase over the content they can access.” Loughton continued, “McAfee have wholly engaged in the drive to deliver active choice to the marketplace and have been a positive leader in creating and offering solutions to the mobile phone, ICT, hardware and retail sectors.”

McAfee recently conducted research and published a report about the online life of teens. The research revealed that there are many teens that simply hide their online lives from their parents:   

• About a third (32%) say that they don’t tell their parents what they are doing online and would change their behaviour if they knew their parents were watching (31%).
• Even though parents are less likely to monitor their children’s behaviour as they get older, young people are more inclined to hide what they do online from their parents as they get older. By the time they reach the ages of 16 or 17, 56% of teens hide their online activities.

Teens can hide online activity by simply minimising browser windows when parents are nearby, hiding or deleting text messages and cleaning out their browser history.  The result of such activities is that parents can become completely unaware of what, or more importantly “who” their children interact with online. When you consider that more than half of the respondents reported to have known someone that has experienced cyberbullying, it’s a rather worrying trend.

 There is no question that many children (and adults) live rich active online lives that come with many benefits. However if you are considering purchasing such devices for children, it’s important to consider the possible risks and look at ways to keep them safe from such threats. This however should not stop with the installation of software and a brief warning about online threats, but continue with ongoing dialogue.  Moreover, such a “dialogue” should also be considered between generations; grandparents, parents and children alike. For more information please refer to the following links:

 http://blogs.mcafee.com/consumer/family-safety

 http://us.mcafee.com/en-us/local/docs/lives_of_teens.pdf

 http://www.thinkuknow.co.uk/

 http://www.getsafeonline.org/

 Link to report by Reg Baily: Letting Children be Children:

https://www.education.gov.uk/publications/standard/publicationDetail/Page1/CM%208078

Instruction in etiquette and good behavior is something we could all probably use a little more of. And when I read McAfee’s “5 New Year’s Resolutions,” I realized that even though I have young children, I ought to brush up on some digital etiquette myself. It’s not too late to do your resolutions or start news ones or just brush up on your online safety.

McAfee suggests that parents begin the New Year with resolutions that address their own behavior, so they can model best practices for kids and teens:

1. When I’m with my children, I pledge not to spend more than 10% of the time on my phone or computer.
   Adults spend about 3.5 hours day perusing the Internet or staring at their cell phone each day, according to estimates from eMarketer. This year, make a promise to give your full attention to your children, and develop a plan to limit your use of electronic devices.
2. I will not communicate with my children via text when they are in the house.
   One downside of technology is that fewer people actually speak to one another. A Kaiser study found that children in grades 7-12 spend an average of 1.5 hours a day sending or receiving texts.
3. I will not give my child access to an Internet browser on a smartphone or tablet that is not safe for them to use.
   It’s important for parents to shield children from cyber-danger by filtering explicit content on smartphones and tablets via applications such as McAfee Family Protection or McAfee Safe Eyes software. This software can prevent children from establishing or accessing social networking accounts, limit Internet use, and block inappropriate websites or messenger chats.
4. I will be prepared to have a “texting intervention” if my teen’s thumbs begin to look like tiny body-builders.
   Texting may be a quick and easy way to interact with others, but the impersonal nature of the communication and frequency of use can cause problems.
5. I will have “the talk” with my kids, to discuss what they are doing and with whom they are connecting online.
   Children often lack an understanding of online dangers, or they may lack the maturity to make appropriate decisions.

By modeling good behavior and ensuring that children’s experiences on Internet-connected devices is a safe and healthy one, parents can ensure a 2012 that is free of digital drama.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

McAfee Labs™ is made up of security professionals who spend all their waking hours observing and combating threats to our digital identifies. If anyone is in a position to give us a window into the future on information technology threats, it’s these guys and gals. Here’s what they are predicting we should watch out for in 2012:

-   Attacks on critical infrastructure and utilities— Attackers from all over the world have set their focus on critical life supporting utilities such as water and power to hold those utilities hostage for payment or to disable them to cause terror. This is the kind of industrial threat that many consumers fear. Unfortunately, many industrial and national infrastructure networks were not designed for modern connectivity, making them vulnerable.

-   Political hacktivism—Hactivism is the use of computers or computer networks to protest or promote political change. “Anonymous” is the group which was active last year doing high profile activities such as briefly taking down New York Stock Exchange’s website in support of the Occupy Wall Street protests.

-   Spam, spam, and more spam—Spam is getting easier and cheaper based on the U.S.’ CAN-SPAM Act. Shady, for profit, advertisers are making a mint selling lists to spammers, as advertisers are not required to receive consent before sending advertising.

-   Mobile malware—PCs are still the low hanging fruit. But as more mobiles are used for mobile commerce (mCommerce), virus makers are creating malware designed take over your phone or to deliver a variety of ads or even send expensive text messages from your phone.

-   Hacked cars, GPS and any wireless equipment—Cybercriminals are now targeting embedded operating systems or even hardware to gain control of everything from cars to global positioning system (GPS) trackers and medical equipment.

-   Cyberwar—Not trying to create fear here, just from observation, McAfee Labs has seen an increase in high-tech spying and other “cyber” techniques to gain intelligence.

As technology evolves and our use of the Internet and mobile devices becomes more complex, cybercriminals are also evolving and honing their skills with new types of attacks. But although some of the threats may seem scary, the reality is many offer new takes on old forms of attack and with a little bit of foresight and preparedness we can guard against them.

Robert Siciliano is a McAfee Online Security Evangelist. See him discussing attacks on our critical infrastructure on Fox News (Disclosures)

According to a recent McAfee survey, 60% of consumers now own at least three digital devices, and 25% own at least five. Cybercriminals are taking advantage of these new opportunities by widening their nets to target a variety of devices and platforms. McAfee Labs is reporting an increase in Mac and mobile malware, while PC threats also continue to escalate.

Mobiles: Mobile malware is on the rise, and Android is now the most targeted platform.  Attacks aimed at the Android platform increased 76% from the first to second quarters of 2011. Malicious applications are a main threat area, so be careful of third party applications, and only download from a reputable app store. Read other users’ reviews and make sure you are aware of the access permissions being granted to each app.

Macs, iPads, and iPhones: Unfortunately, the popularity of Apple computers and devices has led to escalated threats. As of late 2010, there were 5,000 pieces of malware targeting the Mac platform, and they have been increasing at a rate of about 10% each month.

Since more threats are being aimed at this platform, consider installing security software for your Mac as a proactive measure. Check out Apple’s new iCloud service, which provides several tools for syncing, backing up, and securing data, and consider a product that offers remote locate, wipe, and restore features in case of loss.

Laptops and desktops: Your security software should include, at a minimum, antivirus software with cloud computing, a two-way firewall, anti-spyware, anti-phishing, and safe search capabilities. Additional levels of protection include anti-spam, parental controls, wireless network protection, and anti-theft protection to encrypt sensitive financial documents.

Gaming and entertainment devices: Remember that the Nintendo Wii and 3DS, PlayStation 3, and Xbox 360 are now Internet-connected, making them vulnerable to many of the same threats as PCs. To protect your investment, make reliable backup copies of your games. Take advantage of built-in parental controls that can help shield kids from violent games or limit when the device can be used. 

Some multiplayer games allow kids to play with strangers over the Internet, so if you are a parent, consider employing monitoring tools. Connect your device to secure Wi-Fi networks only, and don’t store personal information on your device.

Removable storage devices: Flash drives and portable hard drives require technologies to protect your data. Consider using a secure, encrypted USB stick, which scrambles your information to make it unreadable if your device is lost or stolen. Install security software that protects portable hard drives, and set a password.  Since removable storage devices are small and easily stolen, you should not leave them unattended.

Learn more tips from McAfee here: http://blogs.mcafee.com/consumer/securing-new-devices

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

One reason for this is that smaller businesses tend not to keep customer names and contact information on file, and credit card companies discourage them from recording credit card data.

This is serious cause for concern. The Wall Street Journal reports that the majority of breaches impact small businesses:

 “With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.”

If 95% of breaches affect small companies, it’s anyone’s guess how many times my or your credit card numbers have been compromised. I’ve received four new cards in the past three years as a result of major companies being breached. But I use credit cards at more than a hundred different retailers in a year. And it isn’t only credit card numbers that are stolen, but also usernames and passwords, Social Security numbers, email addresses, and more.

Check your credit card statements online weekly and refute any unauthorized charges. As long as you dispute charges within 60 days, federal laws limit your liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

Change up your passwords at least once every six months. If a business is hacked, they may not know for years, and can’t possibly notify you until it’s much too late.