Consumers are protecting their laptops and desktops with the latest anti-virus and malware protection software, but neglecting to do the same with their smartphones is making them easy targets for hackers, just in time for the holiday season.
A recent Symantec study shows the number of threats that track users on mobile devices by collecting text messages and GPS coordiantes, recording voice conversations, and gathering pictures and video has doubled.
Alexander Rau, a national information security strategist with Symantec, said security risks are increasing for smartphone users because they are not educating themselves.
"Of the device categories, mobile is the least secure," Rau said. "People think their cellphones are secure and they're not. There's a lot of education that needs to be happening on the mobile front."
Some holiday shoppers will look to avoid the long lines and busy malls by shopping online with their smartphones. Rau said the eagerness of shoppers to find the best deal makes them more susceptible to these scams.
"It’s almost like we’re so busy to try to get shopping done that we let our guard down a bit," Rau said. "That normally wouldn’t happen during the year."
According to the Symantec report, about 50 per cent of credible retail websites are vulnerable for malware attacks, with 25 per cent of them being vulnerable for critical attacks. Rau said just because they're credible chain retailers, it doesn't mean their websites aren't being attacked. If shoppers are using their PCs, anti-virus and anti-malware software can usually detect when there's a threat. Since users aren't keen to use the same software on their smartphones, Rau said, there's no line of defence.
Home Depot was only the latest high-profile victim of a malware infection that resulted in 56 million payment cards being compromised.
Shopping in app stores is even more dangerous.
Cybercriminals study the latest trends and create new routes of attack based on their findings. A Nielsen study reports U.S. smartphone users between the ages of 25 and 34 use 29.5 apps per month. Rau said cybercriminals target smartphone marketplaces by duplicating well-known apps, slightly renaming them, and infusing them with malware which spreads as soon as the false app is downloaded.
Hackers even target security apps, in a cruel ironic twist, so that the rare user who is actually attempting to protect their smartphone ends up endangering it instead.
"In one click you can install [the app] and suddenly it's the wrong one."
Phishing scams have also transfered over well from the classic email version. Called smishing on mobile, text messages are sent to random phone numbers with links to fradulent websites. Clicking on those links will take users to a website where Rau said malicious code is uploaded to phones, once again allowing cybercriminals to monitor use and steal personal information.
Don't mistake their intentions though. Credit cards numbers are valuable, but they don't even rank in Symantec's top ten types of information stolen through mobile hacking. Cybercriminals would much rather steal identities.
Real names, birthdays, and goverment ID numbers are the most targeted.
"When somebody steals credit cards and they start selling them on the black market, the cards aren't worth anything, but personal information could lie dormant for six, seven months, or longer."
When cybercriminals prefer a more direct approach, Symantec's report shows ransomware is their weapon of choice. Ransomware is a type of malware that allows cybercriminals to encrypt the victim's files and demand a ransom to return access to them.
CryptoLocker was an evolution of ransomware that cybercriminals used to attack PC users in 2013. Hackers used it to completely lock computers and demand a fee within a 72-hour deadline to provide an unlock code.
Cryptolocker has been mostly shut down, but cybercriminals have created evolutions like Simplocker that attack Android phones instead.
Symantec research shows most victims of Ransomware choose not to pay the fee, but three per cent of victims are giving in to the hacker's demands. Detected cases of Ransomware across all platforms multiplied six-fold from 112,000 in January to 660,000 in December 2013. That means that about 19,800 victims would have agreed to pay an average fee of $300 to regain control of their files in December. That's $5.9 million in revenue accumulated during one month in 2013.
Rau said most of the time, these criminals can't be identified or charged which allows the business to continue to be a profitable one.
"I would say the percentage is probably very low [for them to be identified and charged]. Number one, it's very hard to find out who it was in the first place and then [if we do] our criminal reach doesn't go there."
Without much hope of reversing the damage, Rau suggests users take the necessary steps to ensure it doesn't happen in the first place.
Rau recommended smartphone users download malware protection software and avoid doing any shopping or banking when connected to public Wi-Fi hotspots.
If users are going to shop online using smartphones, Rau said they should check banking statements and try to not get fooled by websites offering deals that almost seem too good to be true.
Rau said cybercriminals won't stop coming up with new scams and smartphone users should have the same mindset when it comes to protecting themselves.
"It will never stop. They will always try to be a step ahead and prey on the weak."