Crowd-Sourcing and Next Generation Malware Threats

Crowd-sourcing enables companies and individuals to quickly and efficiently distribute work to large numbers of willing workers. Crowd-sourcing at its best allows large tasks to be taken up by thousands of volunteers a piece at a time. Wikipedia and open source software development are two golden examples of this concept. However, crowd-sourcing has introduced a new, anonymous method of spreading malicious software or phishing scams.
* Software testing is simplified by a company when they can ask dozens or hundreds of crowd-sourced workers to install something and test it. Unfortunately, this method can also be used to distribute malicious software.
* Crowd-sourcing tasks asking you to sign up for a new crowd-sourcing website may be driven by an up and coming job site that needs workers in order to attract job posters. However, the financial information requests such as “we need your Social Security Number before we can pay you” are a new threat. Large crowd-sourcing sites such as Amazon Mturk have tight security that can be breached by hackers. Small, up and coming job sites lack this level of security.
* Social networking sites, online auction sites and online classified sites attempt to screen out scammers and shut down accounts of those who violate the rules. Unfortunately, scammers are increasingly using crowd-sourcing sites to get around these rules. Tasks paying a few cents up to a dollar or two ask someone to create an account on a website, sometimes with the user name and email address given. This gets around the individual’s computer or IP address being blocked. In other cases, the scammer pays $1-3 for the crowd-worker to phone verify the account and then hand over the credentials. The scammer gets a new, verified account to work from while the phone is tied to that of the crowd-worker.

* “Test my landing page” is generally a phishing scam. Landing page tests that require “valid” email addresses are always phishing sites. Never click on the link in an email received via one of these crowd-sourcing tasks, even if the crowd-sourcing task has made this a condition of payment. If may be a test of their email list and ability to distribute malicious software via the installation link.

* Asking individuals to send a text message to a specific address is posed as a test of an SMS system places someone on solicitation lists. The “do not call” list protection disappears when someone initiates this contact. The malware threat appears when the task requests someone to click on the link sent to them to remove themselves from the text messaging list, infecting their mobile device with malicious software.