This article originally appeared in ECommerce Times on January 11, 2019.
The Biggest Cybercrime Threats of 2019
A new year means a fresh start, but it doesn’t mean that old threats will go away. In fact, in the world of cybersecurity things could get far worse before they get better. Cybercrime continues to increase, as it allows nefarious actors to operate at a safe distance from victims — and more importantly, law enforcement.
Because it rarely is violent in nature, cybercrime often doesn’t get the same response from international law enforcement as other types of crimes. It is far from victimless, however. It is a threat of enormous magnitude, with the potential to affect nearly every company in the world. It even ranks as one of the biggest problems plaguing mankind.
On a global basis, cybercrime will cost US$6 trillion annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures.
This is the largest amount of money generated by illicit means, and it could represent the greatest transfer of economic wealth in history. Cybercrime soon will be more profitable than the global trade of all major illegal drugs combined!
Cybercrime is not one thing. It is many — and fighting it requires understanding the various shapes it comes in. Following is a look at the various types of cybercrime, and things that can be done to fight it.
Phishers Continue to Cast Their Lines
One of the original cybersecurity threats hardly has evolved, but it is unlikely to go away anytime soon.
“Phishing will always continue as long as it works,” warned Satya Gupta, CTO of Virsec, a developer of data security software.
In 2019 we can “expect it to become more targeted and specific to organizations,” he told the E-Commerce Times.
“Phishing is here to stay because it’s simple, it’s cheap, and it will work as long as people continue to read their emails,” noted Matan Or-El, CEO of Panorays, a provider of third-party security management.
“Users should be on guard against downloading applications from untrusted sources,” warned Will LaSala, director of security solutions at OneSpan.
“Phishing remains an easy mechanism to harvest logins and email addresses and potentially passwords, and users should continue to adopt multifactor authentication for all their accounts to help protect against phishing attacks,” he told the E-Commerce Times.
This is among the biggest cybersecurity threats, but it also could be one of the easiest to stop, as it relies on human error to work. It is typically just social engineering, rather than complex coding.
“Companies should train their employees on the risks of phishing attacks and how to avoid them,” said Mike Bittner, digital security and operations manager for The Media Trust, a firm that provides real-time security for digital properties.
“This type of training should be part of creating a culture that makes cybersecurity a strategic imperative across the organization,” he told the E-Commerce Times.
Ransomware on the Rise
Tied closely to phishing scams is the growing threat of ransomware, which can lock a user, or even an organization, out of a computer or network. Even more concerning, it may not be just computer systems or networks that are at risk.
“Ransomware isn’t going away; in fact, we will probably see even more of it targeting consumers in 2019,” said Hank Thomas, CEO of Strategic Cyber Ventures.
“This will be ransomware at scale, targeting a wider swath of middle class Americans that are equally eager to make the problem go away with a quick payment as corporate America was,” he told the E-Commerce Times.
Corporate targets likely will remain in the crosshairs of those who find this an effective illicit business strategy, and due diligence may not be enough to stop all the threats.
“Healthcare remains, by far, the No. 1 target for ransomware, with more than half of all attacks targeting healthcare directly,” warned Pravin Kothari, CEO of cloud security software company CipherCloud.
“Ransomware will also continue as long as there are underprotected systems with data that hasn’t been adequately backed up,” said Virsec’s Gupta.
“However,ransomware threats are increasingly being used as red herrings to distract from other types of attacks on critical infrastructure,” he added.
The greatest danger of ransomware, once again, isn’t that it will block user access to data, but that it could make the leap to any connected device — from automobiles to smart homes. The Internet of Things has opened a brave new world for hackers to lock users out of!
“Businesses need to begin to secure their IoT mobile and Web applications with the same controls that are being deployed for other markets, like multifactor user authentication, and application shielding and secure user onboarding,” said OneSpan’s LaSala.
So far that hasn’t happened, and many users may not expect that their cars, thermostats and doorbells need the same level of security as their PCs.
“People have already been affected by IoT and automobile exploits, but so far there isn’t big money to be had from it, so the scale of this activity remains small,” noted Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“We’ll see just how weak are IoT protections, just as soon as it is in the interests of an aggressor to trigger chaos,” he told the E-Commerce Times.
Here is where healthcare could face a one-two punch.
“In the case of healthcare, many medical devices are also IoT devices,” CipherCloud’s Kothari told the E-Commerce Times.
“They have closed operating systems, proprietary code, and wireless connectivity,” he added. “These devices are essential to healthcare operation and are likely to be targeted as the cyberwar on hospitals escalates.”
Protecting the Cloud
The movement of more and more data off site to cloud-based services could direct cybercriminals to the cloud as well. Because their data is off site, many businesses wrongly may assume that it is secure, but that faith may be unwarranted. Choosing a cloud provider should come down to the level of security it provides, and its track record in keeping data secure.
“The cloud is really more like a swamp of data, and it’s not this idealistic place of security rainbows and data unicorns,” warned Strategic Cyber Ventures’ Thomas.
“Nobody really wants to trudge through it, but you know it’s where the best treasure probably is,” he added. “So it just might be worth it to spend a lot more time there, since the security is often really just a bunch of annoying mud, mosquitoes and thorns that are more of a nuisance than real security.”
The question now is whether enough really is being done to keep data secure. The cloud holds treasures comparable to those of Fort Knox, but in many cases it lacks the same level of security.
“Effective cloud security requires strong protection at the application layer, particularly with externally facing Web, mobile and API application assets,” suggested Franklyn Jones, CMO at Cequence Security, a venture-backed cybersecurity software company.
“These are prime targets for the growing number of automated bot attacks,” he told the E-Commerce Times.
“These attacks are nearly impossible to detect with traditional security tools because they involve the use of legitimate user names and passwords, not malware or APTs,” Jones added. “Therefore, cloud security architectures need to include tools that can detect the underlying behavior and intent of application transactions, which is essential to stop malicious automated bots.”
The Rising Threat of Digital Ad Fraud
One of the lesser-known types of cybercrime is one few people know much about, but one that affects more and more people each year. Digital ad fraud makes it difficult for online content publishers to generate revenue.
Advertisers lose an estimated $19 billion to fraudulent activities each year — equivalent to $51 million daily — according to a report from Juniper Research published last year.
More worrisome is the forecast that ad fraud could reach $44 billion by 2022. The bulk of fraudulent ads affect video, but all content providers online, including newspaper publishers, are potential victims of ad fraud.
This has reached a point where law enforcement is taking it seriously.
The Department of Justice last year announced a 13-count indictment against eight men for various cybercrimes, including what the FBI identified as the biggest-ever ad fraud investigation. The group, which has been dubbed “3ve” (pronounced “eve”), included six Russian nationals and two Kazakhstani citizens.
“In digital advertising, the most common scams take the form of malicious or hijacked ads redirecting Internet users to phishing pop-ups that enable bad actors to commit identity and credit card theft,” said The Media Trust’s Bittner.
“In such attacks, bad actors pose as legitimate advertisers and use a compromised site to propagate phishing scams,” he said. “All organizations are vulnerable to these attacks, which can have multiple phases as the first attack opens up the organization to later ones.”
The (Crypto) Currency of Cybercrime
It is now probably safe to say that 2018 didn’t exactly become the year of cryptocurrency — at least to the degree many had suggested. However, it was the year that cryptocurrency became a key tool in many ransomeware schemes — including the threats that personal data would be released online unless the hacker was paid.
That particular threat turned out to be bogus, but it highlighted the fact that bitcoin and other digital currencies could offer a less-traceable way for criminals to be paid — at least in theory.
“Cryptocurrencies remain the exchange mechanism of choice for cybercriminals who need whatever direction they can get while fleecing victims,” suggested University of Maryland’s Purtilo.
However, bitcoin and its rival digital currencies aren’t the perfect solution for cybercriminals — at least not yet.
“Rampant use of cryptocurrencies for illicit use is a glaring misconception,” explained Strategic Cyber Ventures’ Thomas.
“Bitcoin, the most widely used and secure cryptocurrency, is pseudonymous and easily traceable — making cash a much more logical choice for many criminals,” he added. “Other more privacy-centric cryptocurrencies do exist and can be used for these purposes. However, privacy is never entirely rid of traceability, and attribution is often inevitable.”
There are other reasons cybercriminals may shy away from bitcoin and other cryptocurrencies.
“Many of these are faced with illiquid markets, making cashing out to fiat currency incredibly difficult and costly,” said Thomas.
The bigger threat in cryptocurrency might not be in how it is used, but rather how it is created — as in “mined.” Bitcoin and other currencies are created by having computers solve complex mathematical equations, and this is dubbed “mining.”
Criminals often remotely control computers or computer networks to take on some of the computer processing. This ties to other nefarious threats, such as phishing or ad fraud, in which users are directed to an illicit website that runs Javascript on a webpage that then turns a user computer into a remote miner.
“Cryptojacking attacks played a very major role in cybersecurity last year,” said The Media Trust’s Bittner.
“Cryptojacking has surpassed ransomware as a pervasive digital threat in many countries. Although cryptocurrency has failed to reach the critical mass many had earlier predicted, malicious actors will continue to use cryptojacking for its stealth and relative ease,” he warned.
“The fact that cryptojacking requires no interaction with the unknowing victim makes attacks easier to deliver and possible to repeat,” Bittner said. “Cybercriminals may draw from the well again and again.”
The Next Thing in Cybercrime
A pressing concern with cybercrime and cybersecurity is not what criminals are involved with today, but what they might target tomorrow and beyond.
“The scams I would worry about the most are the ones the good guys haven’t dreamt up and prepared for yet,” said Thomas.
“The scenarios are essentially limitless, with the number of criminals and intelligence services around the world constantly looking to gain access to Western enterprises and users,” he added.
“Consumers — average-Joe Americans without much of any real security — will remain most vulnerable, but aren’t the biggest target,” noted Thomas. “Lucrative business and government targets will keep that honor in 2019. Phishing will continue to be a popular and efficient avenue of approach to gain entry to both consumer and business targets.”
It appears that what works today, sadly, will continue to work for cybercriminals as 2019 unfolds.