Cyberthieves expected to go after smart phones

Security experts watching closely for any sign that sophisticated cybercrime was making the leap from the personal computer to the smart phone caught a stunning one this fall.

A potent new variant of an infamous piece of malicious software was attacking Symbian and BlackBerry phones in a multilevel scheme designed to thwart the defenses of banks.

Cyberthieves apparently used familiar methods to snatch banking customers' online log-ins and passwords, and then tricked them into revealing their mobile numbers, according to an analysis by Spanish security firm S21sec. The customers received seemingly innocuous text messages with links that, when clicked, would install software that allowed hackers to view subsequent texts.

This enabled them to intercept the codes that increasing numbers of banks send to phones to authenticate online financial transactions. That potentially meant the attackers could cue up a transaction, wait to see the code pop up, and then drain the account.

The FBI said in October that an organized-crime ring had used one version of the malware, known as Zeus Botnet, to pull $70 million from bank accounts. It's unclear how much harm the mobile variant inflicted, if any, before it was discovered and addressed.

But its mere appearance set off alarm bells for security professionals, who have long feared the damage that could be done through smart-phone cyberattacks. While no high-cost or wide-scale breaches of mobile devices are yet known, the discovery of the Zeus strain, other limited attacks on phones and a series of vulnerabilities uncovered by researchers indicate that the threat level is rapidly rising.

"The Zeus bug was a wake-up call," said Eric Monti, senior researcher at Trustwave, a Chicago information security firm. "We've seen a huge rise in malware attacks against (technology) infrastructure, and desktops in particular. What we're going to see soon is a similar surge in mobile malware."

The reason is money, he and other security professionals say. There's a growing list of motivations for profit-minded hackers to find ways to infiltrate the devices, including the widening use of smart phones, increasing dominance of particular operating systems, growing capabilities of the always-connected gadgets and accelerating use of mobile financial applications.

Meanwhile, the troves of personal information that flow through the devices mean that when innovative attacks succeed, the stakes may be very high.

DoCoMo 911

Starting in the spring of 2000, thousands of Japanese customers of NTT DoCoMo Inc.'s early Internet service for mobile phones were tricked into downloading a Trojan horse. It hijacked their handsets and forced them to dial 110, Japan's emergency number.

DoCoMo 911, as the attack became known, overloaded switchboards, preventing real emergency calls from getting through.

It was one of the most alarming assaults on phones so far, and prompted security experts at the time to warn of a dawning era of mobile attacks. It hasn't happened - yet.

The 10 years since the DoCoMo incident have been relatively quiet on the mobile security front. Phone hacks have been mostly limited to the bragging-rights variety or small-scale for-profit attacks, even as malicious hackers found inventive new ways to make millions through cyberassaults on personal computers connected to the Internet.

The reasons are important to understand, because they may well be falling away one by one.

There are far more people around the world using PCs than smart phones, and the vast majority of the computers run Microsoft's Windows operating system. That means hackers can exploit a single vulnerability to potentially reach a vast number of computers.

In contrast, the mobile market has been smaller, fragmented across a variety of operating systems and rarely used for financial transactions.

Nightmare scenario