New Malware Wants Your Life, Not Your Passwords
Researchers delve into next-generation malware threats that will steal or usurp people's behavioral patterns to cull and resell valuable information without ever being detected.
A research paper published this week should serve as a wake-up call to those who are particularly fond of social networking sites and therefore make ideal candidates for a new breed of malware that in practice resembles something close to a black-market customer relationship management (CRM) system in reverse.
Titled "Stealing Reality," the paper was written and researched by academics and communications experts at MIT, Ben Gurion University and Deutsche Telekom Laboratories and uses complex mathematical formulas to demonstrate just how effective a stealth malware attack targeting Internet users' behavior and communication patterns could be if practitioners were — or already are — willing to be patient and unobtrusive.
Unlike the typical smash-and-grab malware attacks that use pornographic images or links to infected websites to steal users' passwords or send more spam or malware to everyone in a victim's address book or contact list, this type of sophisticated, behavior-based scam is the long con.
"There is a great deal of information in the patterns of communication exercised by the user with his peers," the researchers wrote. "These patterns are affected by many factors of relationship and context, and could be used in reverse — to infer the relationship and context."
By tapping into mobile devices and networks, a looming security quagmire that companies like McAfee (NYSE: MFE), Symantec (NASDAQ: SYMC) and Cisco Systems (NASDAQ: CSCO) are racing to resolve, hackers could then track an individual's communication pattern and juxtapose that data against his or her social networking activities to form a "rich identity profile."
This profile would be derived by checking when and how often he or she sends texts or makes phone calls or updates his or her Facebook page or checks in on Foursquare. The more involved the individual is in the "digital" community, the more valuable his or her information pattern becomes.
And because this illegal version of what amounts to a blackhat social CRM database doesn't cause a computer or mobile device to crash or result in the immediate loss of an antivirus application or the theft of money from a bank account or a gift card, the surveillance would theoretically go unnoticed and therefore garner even more valuable and meaningful behavioral information as time passes.
"Our results clearly show that an 'aggressive attack' achieves inferior results compared to more subtle attacks," the paper's authors concluded. "A 'Stealing Reality' type of attack, which is targeted at learning the social communication patterns, could 'piggyback' on the user-generated messages, or imitate their natural patterns, thus not drawing attention to itself while still achieving its target goals."
What exactly would those goals be?
For starters, it would the kind of detailed information that advertisers, marketers and spammers would love to get their hands on but for now have to be content with mass, barnstorming-type email campaigns to accomplish.
Moreover, because the information and the identity of the person whose behavior pattern is being monitored is known in detail and in context, it carries even more weight when a monetizing spam, malware or advertising campaign is launched. Those impacted by the potential attack would not only know the person who is the center of the pattern, but that person will face the almost impossible task of trying to extricate himself or herself from the attack.
When a malware campaign successfully hacks into a person's email account or bank account, it's costly and frustrating but ultimately it can be rectified and the victim can get new accounts.
But if someone steals your behavioral patterns, it's much more daunting to change your network of friends, family and coworkers to start over fresh without someone tracking your every digital move.
"There is no reason to think that developers of malicious applications will not implement the same method and algorithms into future malware, or that they have not already started doing so," the researchers concluded.