FBI says overseas travelers at risk to attacks through pop-up windows
Security analysts note warning is short on details
Attack is a pop-up asking users to update a popular piece of software
It has happened on hotel Wi-Fi systems, FBI says
If you’re traveling abroad, your laptop could be attacked. That much, is certain, according to the U.S. Federal Bureau of Investigation, which warned this week that hackers are “targeting travelers abroad through pop-up windows while establishing an internet connection in their hotel rooms.”
The warning comes from the FBI’s Internet Crime Complaint Center, or the IC3. But it lacks so many key details that security experts wonder if it’s of any use. It doesn’t say where these attacks have occurred, how prevalent they are, or how exactly they work.
Graham Cluely, a blogger with antivirus vendor Sophos, found the lack of details peculiar. “What’s fascinating about the advisory is what it doesn’t say,” he wrote on his blog Thursday. “And without more information it’s hard to know how computer users are supposed to take meaningful action to protect themselves.”
Bloomberg reported late last year of a widespread hacking effort that hit ISPs, including at least one hotel network service provider. Networks were hit in “more than a dozen countries, including Canada, Switzerland, Bangladesh, Venezuela and Russia,” Bloomberg said.
The IC3 report comes months after the Bloomberg story, but then the FBI isn’t exactly known for being ahead of the curve when it comes to security warnings.
Here’s the key passage:
Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel internet connections. In these instances, the traveler was attempting to setup the hotel room internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.
But pop-up windows that instruct users to do bad things – installing adware or fake antivirus products or malicious Trojan horse programs, for example – have been around for years. They happen everywhere in the internet, not just in untrustworthy hotel and public Wi-Fi networks.
“Nobody has cited evidence specifically tying this to hotel rooms,” says Robert Graham, CEO of security consultancy Errata Security. “My advice for travelers is that there is nothing you need to do for traveling that you shouldn’t already be doing anyway.”
Reached Thursday, FBI spokeswoman Jenny Shearer couldn’t cite any public reports detailing these attacks. “We don’t’ have much more guidance to offer the public beyond what was shared in the alert,” she said.
Security experts generally acknowledge that hotel networks — especially open Wi-Fi networks — are untrustworthy minefields.
Jonathan Kine, a technology consultant based in Jakarta, says he’s seen this type of attack described in the IC3 report in hotel and public Wi-Fi networks in China, Malaysia, and Indonesia. “The user gets a pop up or a browser window that states in order to login please allow us to update your browser, then they download the payload and are infected,” he says. In some cases, the update looks like it’s from Adobe Systems, Kine says. It isn’t.
For corporate users, or those who are technically savvy, a virtual private network is often the best way to boost security.
Another option: use your mobile carrier’s network. That’s what Searl Tate did recently on a trip to Las Vegas. Instead of paying for a hotel network, he simply grabbed his iPad and connected to his carrier’s 4G network. “There are other performance reasons too,” he says, “but security drives a portion of my concern.”
For Graham, that means full disk encryption, to make your laptop unreadable in case it gets stolen. He also says that travelers should be up-to-date with their software patches and use secure SSL connections whenever they’re on the Web. “And stop clicking on Trojans,” he adds “If you don’t do this already, then there’s really no hope for you anyway.