The World Economic Forum has just published an article which details the biggest cybercrime trends of 2019, which provides useful information for IT and data protection experts who want to ensure they are prepared for emerging cyber-threats.
This article consolidates and describes the main threat vectors:
- Advanced phishing kits
- Remote access attacks
- Attacks via smartphones
- Vulnerabilities in home automation and the Internet of Things
- Utilising artificial intelligence §
The author, Eineras von Gravrock is the co-founder and CEO of CUJO, an AI platform offering SaaS solutions to telecom operators and gateway manufacturers.
One of the most worrying predictions is that 2020 will be known for advanced phishing attacks, due to the number of new phishing kits available on the dark web which enable people with only basic technical knowledge to run their own phishing attacks.
In the last week, Google reported that phishing attacks that can beat two-factor (2FA) authentification security are now on the increase.
“We’ve seen a big rise in the number of phishable 2FA attacks,” Nicolas Lidzborski, a security engineering lead for Gmail, said during a talk at the RSA cybersecurity show.
In December Amnesty International reported that it had noticed a hacking group defeating two-factor protection by using an automated phishing attack to steal and enter passcodes before the 30-second time limit expired. It is problematic that, often, the one time password generated by 2FA is sent by text, so the attacker impersonates a target, steals the number and gets to the 2FA. In July, Google reported it had given all its employees USB security keys as a way to stop account takeovers on work-related accounts, stop account takeovers in their tracks. Meanwhile, Thomas Harjono, a secure identities researcher at MIT’s Trust and Data Consortium, has suggested that smartphones could generate unique identifiers by combining a user’s phone numer and the IMEI device ID assigned to each device which could be managed with relative ease so perhaps there is some light at the end of this tunnel on the horizon.
Remote access attacks are growing in number, as well as becoming more sophisticated. One of the main types of remote access attack in 2018 was crypto jacking, directed at cryptocurrency owners. Cyber threats will increase as more connected devices sharing personal information join the Internet and the ‘connected home’ has been identified as one of the most common attack vectors. Any device that needs to keep its ports open and forwarded to external networks or the internet are likely to be targeted by hackers – like the now legendary 2014 hack involving televisions and a fridge.
More than 60% of fraud online is now accomplished through mobile platforms, according to RSA, and increasingly, people use mobiles to handle sensitive data, conduct financial transactions and manage their home networks. Users typically hold all their information on their phone and then use that very device to manage their two-factor authentication. This leads to a significant increase in risk if the device is lost, stolen or compromised. However, this threat can be potentially mitigated by using a secure app to authenticate instead of text.
The consumer Internet of Things (IoT) is expected to grow to more than seven billion devices by the end of 2020, according to Gartner. Unfortunately, IoT devices are seldom secure by design, because putting a focus on security significantly increases manufacturing and maintenance expenses. In this respect, so-called ‘smart toys’ for children are often found to pose cyber risks. Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected,
In his article, Von Gravrock highlights the irony that whilst “AI is often considered to be a dual-use technology – while more cybersecurity companies are implementing AI-driven algorithms to prevent threats, hackers are also taking the opportunity to become more effective”.
He adds that the majority of AI qualities serve malicious purposes because they “are cheap, scalable, automated, anonymous and they provide physical and psychological distance for the attacker, diminishing the immediate morality around cybercrime”. Hence, new advances in AI-driven technology will lead to an even more popular and dangerous trend involving utilising AI in cyber attacks.
In conclusion, it is critical for information and security managers to continuously investigate, alleviate, and remediate cyber risks and the associated vulnerabilities that could lead to a data breach. If you have not done so already, empower your security experts — your internal or external IT support team — to manage and maintain software and malware updates for all users to ensure that the basics are covered. Implement a rolling program to train your teams on how to recognise phishing attacks. If you do not already have a tried and tested Incident Response Plan, then 2019 would definitely be a good year to put this to the top of the ‘To-Do’ list.
For more information please refer to our service pages our contact our Data Governance team