The Internet of (Increasingly Scary) Things

There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots and other technologically “smart” things may be out to get you all on their own (at least thus far), it’s not so easy to ignore the reality that they can be harnessed for evil as easily as they can for good.

Consider, if you will, the massive DDoS that occurred between November 30 and December 1 targeting thirteen of the Internet’s root name servers. Together, these servers support nearly the entire Internet. True, they’re designed to work in a distributed manner, and if they ever were to fail other servers around the globe would take up their banner and continue serving up IP addresses in exchange for domain names, making not the impact but mechanisms behind the attack the truly scary part of this story.

“At the peak of the DDoS attack, the servers received more than five million queries per second, and more than 50 billion queries in total during the two-day period.” (http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-app-1532993).

The source of those queries, says a variety of security experts, were almost certainly mobile phones. Maybe yours. Maybe mine. It’s hard to know for sure as the number of variables at play – WiFi, mobile network, carrier, etc… – make it difficult to ascertain where the evenly distributed range of IP addresses were coming from.

Experts are fingering mobile phones with a compromised app installed, citing that such a volume of attack bots would be easily obtained with a relatively small number of activated bad apps. Why would anyone install a bad app? Because they don’t know it’s bad, of course. The supposition at this point is that the bad app is masquerading as something innocuous, like a flashlight app or some other simple utility that’s small, useful, and absolutely free.

This is by no means stretching reality or as far fetched as it may once have sounded. The number of “things” that are capable of being harnessed thanks to their connectivity and reliance on APIs is growing and may soon be large enough to be considered a threat equal to that today of mobile phones against even the largest of institutions.

Foremost among those institutions suggested as targets are, of course, financials who are no strangers to the world of bots, malware, and other malicious bits. That’s because one of the most common ways miscreants perpetrate fraud is the use of malware deposited on mobile phones thanks to phishing or other social engineering techniques. Once on the device, these nasty little bits of software use “different techniques to gain administration permissions on the victims’ device, steal users TANs (Transaction Authorization Number), intercepting SMS messages containing OTPs, performing credential grabbing, presenting fraudulent content, performing automatic money transfers and more” according to Shaul Vilkomir-Preisman, a senior malware analyst in our F5 SOC.

Shaul recently posted analysis of an emerging threat, Tashua-Bot, which has upped the ante in the already high-stakes game of fraud by improving on the traditional technique of overlaying content on legitimate financial sites to trick consumers into providing sensitive information. This is a dangerous evolution, as it provides its controllers with not only the means to target a “virtually endless number of legitimate applications” but also to serve up custom fraudulent content for them without changing the malware itself. That means once deposited, it can potentially be used over and over again, countering whatever protections might be put in place by institutions to protect its consumers against fraudulent activity.

The often casually thrown about phrase that describes the delightful view of the general market toward the app economy, “there’s an app for that”, is not only true for consumers, but apparently for the bad guys as well. Whether it’s mobile phones, your refrigerator, or those “things” you attach to your home appliances that seamlessly order new supplies from Amazon, the bad guys are eagerly seeking new ways to exploit consumers and the increasing number of connections they have to the Internet. As our analysis of Yasuo-Bot shows, they aren’t idle, either, but rather constantly in motion, seeking to find new ways to exploit our appetites for convenience to serve their own needs.

Stay safe out there and buckle up, it’s going to be a bumpy ride.