A new year means a fresh start, but it doesn’t mean that old threatswill go away. In fact, in the world of cybersecurity things could get far worse before they get better. Cybercrime continues to increase, as itallows nefarious actors to operate at a safe distance from victims — andmore importantly, law enforcement.
Because it rarely is violent in nature, cybercrime often doesn’t get the same response from international law enforcement as other types of crimes. It is far from victimless, however. It is a threat of enormous magnitude, with the potential to affect nearly every company in the world. It even ranks as one of the biggest problems plaguing mankind.
On a global basis, cybercrime will cost US$6 trillionannually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures.
This is the largest amount of money generated by illicit means, and it could representthe greatest transfer of economic wealth in history. Cybercrime soon will be more profitable than the global trade of all major illegal drugs combined!
Cybercrime is not one thing. It is many — and fighting it requires understanding the various shapes it comes in. Following is a look at the various types of cybercrime, and things that can be done to fight it.
Phishers Continue to Cast Their Lines
One of the original cybersecurity threats hardly has evolved, but it isunlikely to go away anytime soon.
“Phishing will always continue as long as it works,” warned SatyaGupta, CTO of Virsec, a developer of data security software.
In 2019 we can “expect it to becomemore targeted and specific to organizations,” he told the E-Commerce Times.
“Phishing is here to stay because it’s simple, it’s cheap, and it willwork as long as people continue to read their emails,” noted MatanOr-El, CEO of Panorays, a provider of third-party security management.
“Users should be on guard against downloading applications fromuntrusted sources,” warned Will LaSala, director of securitysolutions at OneSpan.
“Phishing remains an easy mechanism to harvest logins and emailaddresses and potentially passwords, and users should continue toadopt multifactor authentication for all their accounts to helpprotect against phishing attacks,” he told the E-Commerce Times.
This is among the biggest cybersecurity threats, but it also could be one of theeasiest to stop, as it relies on human error to work. It is typicallyjust social engineering, rather than complex coding.
“Companies should train their employees on the risks of phishingattacks and how to avoid them,” said Mike Bittner, digital securityand operations manager for The Media Trust, a firm that provides real-time security for digital properties.
“This type of training should be part of creating a culture that makescybersecurity a strategic imperative across the organization,” he told the E-Commerce Times.
Ransomware on the Rise
Tied closely to phishing scams is the growing threat of ransomware,which can lock a user, or even an organization, out of a computer ornetwork. Even more concerning, it may not be just computer systems or networks that are at risk.
“Ransomware isn’t going away; in fact, we will probably see even moreof it targeting consumers in 2019,” said Hank Thomas, CEO of Strategic Cyber Ventures.
“This will be ransomware at scale, targeting a wider swath ofmiddle class Americans that are equally eager to make the problem goaway with a quick payment as corporate America was,” he toldthe E-Commerce Times.
Corporate targets likely will remain in the crosshairs of thosewho find this an effective illicit business strategy, and duediligence may not be enough to stop all the threats.
“Healthcare remains, by far, the No. 1 target for ransomware, withmore than half of all attacks targeting healthcare directly,” warnedPravin Kothari, CEO of cloud security software company CipherCloud.
“Ransomware will also continue as long as there are underprotectedsystems with data that hasn’t been adequately backed up,” said Virsec’s Gupta.
“However,ransomware threats are increasingly being used as redherrings to distract from other types of attacks on criticalinfrastructure,” he added.
The greatest danger of ransomware, once again, isn’t that it will block user access to data, but that it could make the leap to any connected device — from automobiles to smart homes. The Internet of Things has opened a brave new world for hackers to lock users out of!
“Businesses need to begin to secure their IoT mobile and Webapplications with the same controls that are being deployed for othermarkets, like multifactor user authentication, and applicationshielding and secure user onboarding,” said OneSpan’s LaSala.
So far that hasn’t happened, and many users may not expect that theircars, thermostats and doorbells need the same level of security astheir PCs.
“People have already been affected by IoT and automobile exploits, butso far there isn’t big money to be had from it, so the scale of thisactivity remains small,” noted Jim Purtilo, associate professor inthe computer science department at the University of Maryland.
“We’ll see just how weak are IoT protections, just as soon as it is inthe interests of an aggressor to trigger chaos,” he told the E-Commerce Times.
Here is where healthcare could face a one-two punch.
“In the case of healthcare, many medical devices are also IoT devices,”CipherCloud’s Kothari told the E-Commerce Times.
“They have closed operating systems, proprietary code, and wirelessconnectivity,” he added. “These devices are essential to healthcareoperation and are likely to be targeted as the cyberwar on hospitalsescalates.”
Protecting the Cloud
The movement of more and more data off site to cloud-basedservices could direct cybercriminals to the cloud as well.Because their data is off site, many businesses wrongly may assume that it is secure, but that faith may be unwarranted. Choosing a cloud provider should comedown to the level of security it provides, and its track record in keeping data secure.
“The cloud is really more like a swamp of data, and it’s not thisidealistic place of security rainbows and data unicorns,” warnedStrategic Cyber Ventures’ Thomas.
“Nobody really wants to trudge through it, but you know it’s where thebest treasure probably is,” he added. “So it just might be worth it tospend a lot more time there, since the security is often really just abunch of annoying mud, mosquitoes and thorns that are more of anuisance than real security.”
The question now is whether enough really is being done to keep data secure. The cloud holds treasures comparable to those of Fort Knox, but in manycases it lacks the same level of security.
“Effective cloud security requires strong protection at theapplication layer, particularly with externally facing Web, mobile and API application assets,” suggested Franklyn Jones, CMO at Cequence Security, a venture-backed cybersecurity software company.
“These are prime targets for the growing number of automated bot attacks,” he told the E-Commerce Times.
“These attacks are nearly impossible to detect with traditionalsecurity tools because they involve the use of legitimate user namesand passwords, not malware or APTs,” Jones added. “Therefore, cloudsecurity architectures need to include tools that can detect theunderlying behavior and intent of application transactions, which isessential to stop malicious automated bots.”
The Rising Threat of Digital Ad Fraud
One of the lesser-known types of cybercrime is one few people knowmuch about, but one that affects more and more people each year. Digital ad fraud makes it difficult for online content publishers to generate revenue.
Advertisers lose an estimated $19 billion to fraudulent activities each year — equivalent to $51 million daily — according to a report from JuniperResearch published last year.
More worrisome is the forecast that ad fraud could reach $44 billion by 2022. Thebulk of fraudulent ads affect video, but all content providers online, including newspaper publishers, are potential victims of ad fraud.
This has reached a point where law enforcement is taking it seriously.
The Department of Justice last year announced a 13-count indictmentagainst eight men for various cybercrimes, including what the FBI identified as the biggest-ever ad fraud investigation. The group, which has been dubbed “3ve” (pronounced “eve”), included six Russian nationals andtwo Kazakhstani citizens.
“In digital advertising, the most common scams take the form ofmalicious or hijacked ads redirecting Internet users to phishingpop-ups that enable bad actors to commit identity and credit cardtheft,” said The Media Trust’s Bittner.
“In such attacks, bad actors pose as legitimate advertisers and use acompromised site to propagate phishing scams,” he said. “Allorganizations are vulnerable to these attacks, which can have multiplephases as the first attack opens up the organization to later ones.”
The (Crypto) Currency of Cybercrime
It is now probably safe to say that 2018 didn’t exactly become theyear of cryptocurrency — at least to the degree many had suggested. However, itwas the year that cryptocurrency became a key tool in many ransomewareschemes — including the threats that personal data would be releasedonline unless the hacker was paid.
That particular threat turned out to be bogus, but it highlighted the fact that bitcoin and other digital currencies could offer a less-traceable wayfor criminals to be paid — at least in theory.
“Cryptocurrencies remain the exchange mechanism of choice for cybercriminals who need whatever direction they can get while fleecing victims,” suggested University of Maryland’s Purtilo.
However, bitcoin and its rival digital currencies aren’t the perfectsolution for cybercriminals — at least not yet.
“Rampant use of cryptocurrencies for illicit use is a glaringmisconception,” explained Strategic Cyber Ventures’ Thomas.
“Bitcoin, the most widely used and secure cryptocurrency, ispseudonymous and easily traceable — making cash a much more logicalchoice for many criminals,” he added. “Other more privacy-centriccryptocurrencies do exist and can be used for these purposes. However,privacy is never entirely rid of traceability, and attribution is ofteninevitable.”
There are other reasons cybercriminals may shy awayfrom bitcoin and other cryptocurrencies.
“Many of these are faced with illiquid markets, making cashing out tofiat currency incredibly difficult and costly,” said Thomas.
The bigger threat in cryptocurrency might not be in how it is used, but rather how it is created — as in “mined.” Bitcoin and other currencies are created by having computers solve complex mathematical equations, and this is dubbed “mining.”
“Cryptojacking attacks played a very major role in cybersecurity lastyear,” said The Media Trust’s Bittner.
“Cryptojacking has surpassed ransomware as a pervasive digital threatin many countries. Although cryptocurrency has failed to reach thecritical mass many had earlier predicted, malicious actors willcontinue to use cryptojacking for its stealth and relative ease,”he warned.
“The fact that cryptojacking requires no interactionwith the unknowing victim makes attacks easier to deliver and possibleto repeat,” Bittner said. “Cybercriminals may draw from the well again and again.”
The Next Thing in Cybercrime
A pressing concern with cybercrime and cybersecurity is not whatcriminals are involved with today, but what they might target tomorrowand beyond.
“The scams I would worry about the most are the ones the good guyshaven’t dreamt up and prepared for yet,” said Thomas.
“The scenarios are essentially limitless, with the number of criminalsand intelligence services around the world constantly looking to gainaccess to Western enterprises and users,” he added.
“Consumers — average-Joe Americans without much of any real security –will remain most vulnerable, but aren’t the biggest target,” notedThomas. “Lucrative business and government targets will keep thathonor in 2019. Phishing will continue to be a popular and efficientavenue of approach to gain entry to both consumer and businesstargets.”
It appears that what works today, sadly, will continue to work for cybercriminals as 2019 unfolds.