Perhaps the worst news about Pokemon Go is how attackers are using it to spread malware. This is not the first time bad-guy hackers have leveraged the popularity of games to spread malicious software. Viral memes spread malware, too, via drive-by attacks as people visit malicious sites that draw them by hosting or linking to the internet-based cultural sensation.
Users assume that games and meme sites have integrity. This makes it easy for the hackers to push compromising software onto consumers’ phones and computers and into your organization. Cyber thugs also use man-in-the-middle attacks on game apps to take control of mobile devices and launch attacks on the enterprise.
CSO shares the process attackers use to slip inside the enterprise through memes and games together with enterprise security policies and enforcements that help ensure the next viral internet craze doesn’t lead to malware playtime inside your organization.
Attackers enter games in a couple of ways. When they see users swiftly adopting a game such as Pokemon Go, they download a copy, decompile it, add malware, compile it, and publish it onto fake and third-party app sites for unsuspecting consumers to download and use. “When the user downloads the app, it installs a Trojan or other malware variant that gives attackers complete control of the device along with a mechanism for tracking and extracting personal information such as passwords and payment information,” explains Philip Casesa, Product Development and Portfolio Management, (ISC)2. Attackers can increase their dwell time on the device by allowing the game app to function normally despite the malware.
Attackers lure victims by making the cloned games available in parts of the world where the game’s vendors have not yet released the genuine item. “While the U.S. population was capturing Pokemon, the U.K. market still had no official release date. This resulted in more people attempting to bypass the relative safety of managed app stores to obtain the software, by jailbreaking their phones,” says Casesa.
These hackers also infiltrate game apps that are already in use. According to Bob Palmer, a vice president with SAP NS2, attackers gain access on a communications protocol level using a man-in-the-middle attack that intercepts the handshake between the game app on the device and the game vendor’s server.
In either case, attackers can then manipulate the privileges the user granted to the app to extract usage data and personal information including passwords in order to control the device’s behavior and make it do things it would not normally do, according to Palmer. “They can get the smartphone to send an email with a malware payload into the corporate network hoping someone will open it."
As for memes, malicious websites host viral videos, posts, and images to draw people in, and then the site automatically passes malware onto the user’s device. “The user doesn’t need to actively download anything or engage in other risky computer behavior. Simply visiting the infected website can cause malware or ransomware to exploit vulnerabilities in the operating system or browser,” says Casesa.
“Once an attacker has personal information like passwords they can go after email accounts, which can enable access to other accounts. Where people reuse the same password, attackers can access employee bank accounts as well as work accounts,” explains Casesa.
Using work credentials, attackers explore and exploit whatever systems the user has privileges on. “Attackers can use access to these systems to spread more malware, collect additional data, and pick up credentials for more systems,” says Casesa.
Enterprise preparations, policies and enforcements
Stringent policies are unavoidable where the security of enterprise data and the productivity and safety of employees are concerned. “Mobile policies can ban certain apps and jailbreaking or side-loading of software,” says Casesa. When employees understand why this is necessary, it should be easier to get them to comply.
You need to use education programs that grab your employees’ attention and engage them while teaching them the risks of memes and games as well as your policies pertaining to such sites and applications. Programs need to identify official app download sites while pointing out the ear marks of unofficial and known bad sites so that your people can tell the one from the other. You need to confirm that they understand and you need to verify a change in their behavior after the training, as well.
[ ALSO ON CSO: How to craft a security awareness program that works ]
There are other benefits to successful security education. “A knowledgeable workforce is often the first and best line of defense because they can spot risks and report them to the proper teams before these lead to damage,” says Casesa. Rewards systems typically work well for reinforcing healthy employee behavior in response to security risks.
Even with a successful rewards program, it is necessary to apply technology to reinforce policies. By using technologies including mobile device management (MDM), mobile application management (MAM), and enterprise mobile management (EMM) as well as network access control (NAC) and endpoint security, and by layering compatible approaches, the enterprise can enforce strong policies and take a strong stance against malware. First ask your existing device and software vendors about available tools.
Then you can automatically block device or even user access to corporate networks once these mobile technologies detect behavior that goes outside the security policy. Remember, if you block only the device, the user may still have it synced with other devices, and the malware may enter through one of these other devices that you have not blocked.
Additional security for risky memes and games
There are many reasons to delay software patches including the need to test these for flaws, the fact that a patch may make the patched software incompatible with other software and applications, and the fact that this incompatibility may break a vital app that serves the needs of your core business. However, you need to weigh these risks against the risks of malware entering through unpatched vulnerabilities.
If you can automate testing for patched software in a sandbox and then schedule it for limited production use on a certain set of servers before fully deploying it, you can establish some sort of routine, relatively swift patching program to close those holes while maintaining the integrity of the production environment. If a patch does break a critical application, you will have to weigh the opportunity cost of updating the application and perhaps software with dependencies against the likelihood and severity of the security threat from the unpatched hole.
It is as inexpensive to harden endpoints as the time and effort that it takes to set the configurations that do so. “Aggressive patching and hardening of these machines goes a long way toward reducing the risk of infections that can provide attackers with a foothold into the organization,” says Casesa.
All the technology in the world won’t stop malware from waltzing into your company if employees do not willingly make themselves extensions of the security team. By using ever more positive, rewarding programs to draw employees into the security battle, you can begin to keep them from being extensions of an attacker’s team instead.