What Employers Should Expect in Cybercrime
Cybercrime is an industry—and a very profitable one at that. The FBI estimated that just one component of the cybercrime industry, ransomware, generated $209 million in revenue during the first three months of 2016, putting it on pace to be a $1 billion business by the end of this year. Based on that, DataGravity estimated that just this component of the cybercrime industry is more profitable than 69 percent of the companies on the 2016 Forbes Global 2000 list.
So, where is cybercrime headed over the next year? We, at Osterman Reserach, believe that changes in this industry are most reliably based on a “follow the money” approach, since businesses represent a more lucrative source of income for many cybercriminals and so are more likely to be attacked than individuals. Consequently, here are four key areas in which we think cybercriminals will ramp up their attacks during the next 12 months:
1. CEO Fraud
CEO Fraud is a highly specialized form of phishing attack that the FBI estimates has cost US businesses $2.3 billion over the past three years. In one type of CEO Fraud attack, a cybercriminal will send an email to a senior executive in a company, requesting either a wire transfer to a trusted supplier or some type of sensitive data, such as employee W-2 records, often using a bogus domain that is similar to the actual corporate domain. Cybercriminals will study their victims’ websites, email correspondence, the CEO’s travel schedule and other information so as to be as effective as possible in fooling the recipient of the email into complying with the request.
We believe that CEO Fraud will increase because it is difficult to detect using traditional anti-phishing or anti-spam filters, because targets of these attacks often are not sufficiently careful about evaluating these requests, and because CEO Fraud is highly lucrative for cybercriminals. The FBI estimates that a successful CEO Fraud attack generates an average of $25,000 to $75,000 from the victim, but some attacks have netted cybercriminals millions of dollars.
Spearphishing is another targeted type of phishing attack, but one that often is used to install malware on a computer used by a senior executive within a company, such as the CFO or CEO. The goal of cybercriminals in a spearphishing attack is to obtain something of value, such as the CFO’s login credentials that he or she uses to access the corporate financial accounts. By installing malware like a keystroke logger on the CFO’s computer, cybercriminals can gain access to financial accounts and withdraw large sums in a very short period of time. Some companies have seen hundreds of thousands of dollars stolen within the space of 30 minutes, and many times the bank that released these funds is not able to recover them.
Although everyone is potentially vulnerable to spearphishing, we believe the most susceptible to a successful attack are smaller organizations that have not invested in employee training and that don’t have the same level of security infrastructure in place to detect spearphishing attacks. We expect spearphishing attacks against these firms to increase.
Ransomware is a particularly insidious form of malware that will quickly encrypt all of the files on a computer and render them inaccessible until the victim pays a ransom. It is virtually impossible to decrypt the files once they are encrypted, since cybercriminals normally permit only a small window of time in which to pay the ransom (normally a few days) and the encryption can almost never be defeated. We believe that this will be one of the fastest growing areas of cybercrime for three reasons: 1) ransomware “kits” are available at very low cost, enabling just about anyone to become a ransomware author; 2) ransomware authors can score big wins, as in the case of Hollywood Presbyterian Medical Center that paid $17,000 in Bitcoin to recover access to its files in early 2016; and 3) businesses and individuals often don’t take the relatively simple steps to be able to recover from ransomware or prevent ransomware—namely, having recent backups of their data and being careful about what they click on or open in email.
4. Attacks on things
Finally, one of the big growth areas for cybercrime over the next 12 months will be attacks against things—the so-called “Internet of Things.” These include business security systems, closed-circuit television systems, medical equipment, point-of-sale systems, fuel-monitoring systems, lighting systems, televisions, thermostats, appliances, cars and a host of other systems. Gartner estimates that by the end of 2016 there will be 6.4 billion things connected to the internet, and that by 2025 this number will swell to nearly 21 billion objects. Most of these things are highly vulnerable to attack and can be used to cause damage to more traditional systems, like computers and servers.
So, what can bad guys do if their infect your things? In January 2014, Proofpoint discovered that spammers were able to infect a variety of smart appliances, including a refrigerator, and use them to send 750,000 spam messages. In October 2015, security researchers found that cybercriminals had created a botnet of about 900 surveillance cameras and used them to launch a denial-of-service attack on a major cloud service. In February 2016, Nissan had to disable the app used for its Leaf automobile because it was vulnerable to attack by cybercriminals. And this is just the tip of the iceberg.
In short, these are four key areas that we believe will be major threat vectors for businesses during the next 12 months. While traditional cybercriminal activities like sending spam and phishing attempts will definitely continue, these are four areas about which to be most concerned.