“The way elements are laid out on a page and the actions that take place when a user touches something are all opportunities to embed an attack,” the researchers wrote, adding that once the user has clicked on that malicious link posing as an legitimate image, hackers and botnets can “spy” on the smart phone and redirect the user to a “malicious payload,” where sensitive personal information – including passwords, banking information, and documents – can be accessed by outside machines.
IT officials at Washington and Lee University (WLU) in Virginia are among campus technologists who have tracked a mobile device boom that began last year and continued into the fall 2011 semester.
Two years ago, four in 10 university WLU freshmen owned a smart phone. By 2010, 60 percent of freshmen owned iPhones, Droids, and other popular mobile devices.
Now three in four WLU freshmen own a smart phone, said Julie Knudson, the school’s director of academic technologies.
The near ubiquity of smart phones on college campuses could complicate IT staffers’ attempts to protect school networks against attacks via social media websites, which are now commonly accessed via mobile device.
Social networking attacks accounted for about 20 percent of all phishing scams in January 2009, according to a report from Microsoft Security Intelligence. By July, that number had risen to more than 70 percent of all phishing attempts.
About 20 percent of Facebook users have some sort of virus or malware in their profile’s news feed, according to antivirus security company BitDefender.
A popular Facebook phishing scheme that surfaced last year brings users to a Facebook login page that looks identical to the real page. If a user name and password are entered on the fraudulent site, a hacker can gain control of that person’s Facebook account.
Without seeing the URL listed atop a smart phone screen, students won’t be able to stop the phishing attack before it poses a threat to the campus’s internet infrastructure.
Smart phones’ small screens aren’t the only feature that makes the devices a potential harm to campus networks.
Mobile internet browsers rarely – if ever – have updates or patches that shore up security holes discovered when hackers identify and attack vulnerabilities in popular mobile devices.
“One of the biggest problems with mobile browsers is that they never get updated,” Dan Kuykendall, co-CEO and chief technology officer for NT OBJECTives, said in the Georgia Tech report. “For most users, their operating system (OS) and mobile browser is the same as it was on the phone’s manufacture date. That gives the attackers a big advantage.”
Desktop computers can have security gaps patched within days, whereas mobile devices might not receive a critical security update for months, the researchers wrote.
“The software industry needs to modify the current patch and update model to integrate mobile devices for more complete coverage,” Ahamad and Rotoloni wrote.