2017 was certainly a year to be noted for cyber-attacks and 2018 is going to be equally scorching. For instance, we haven’t yet seen the true impact of last year’s monster Equifax data breach. Equifax offered one year of free identity for those whose information was stolen but this will expire towards the end of 2018. Identity theft is already rife in the US but it’s highly likely that there will be a serious spike as the free protection draws to a close. Fraudsters are intelligent, and will be more than aware that a lot of people are going to be exposed. But this is a hangover from 2017. 2018 will see more large-scale hacks, smart device take-overs, a surge in financial fraud aimed at smartphones and the introduction of artificial intelligence supported malware.
On the surface you might think that the introduction of the European Union’s General Data Protection Regulation will cool things down a bit in terms of data hacks. Certainly, many organisations are taking GDPR seriously and have been doing a lot of behind the scenes work to tighten up their systems and processes. But at the same time there are other organisations which are taking their time, and on the advice of lawyers. Basically, they are waiting to see how the Information Commissioner’s Office responds to breaches.
Despite GDPR, large data breaches will continue to happen. This is inevitable. The important thing is how organisations respond. Time and again we’ve seen most businesses only come clean long months after they’ve been hacked, exposing customer data and making the situation much worse. It may not be headline grabbing but it’s going to be interesting to see how those who are breached react. We should see the tide finally turning in favour of those whose data has been stolen.
What will grab the headlines are smart device attacks. What we’ve seen so far is just the tip of the iceberg. Put yourself in the shoes of an experienced and knowledgeable hacker who is aware of millions of exposed smart devices. They’ll be testing and probing and developing attack methods, initially just for the hell of it, but the acquired knowledge will filter through the underground hacking communities including those groups whose sole purpose is cyber fraud. There will be those who seek to ‘weaponise’ this information. For instance, we could see industrial smart device denial of service attacks but victims won’t want to advertise the fact, just as in the early days of distributed denial of service attacks on websites.
Another nailed down certainty is the continuing growth in ransomware. In 2016 $1 billion was lost to ransomware. In 2017 it’s estimated to be $5 billion. The real figures are likely to be higher given that many organisations are reluctant to admit their systems were penetrated and shut down. From a cyber fraudsters perspective ransomware is a no brainer. It’s low risk, high reward malware and given that ransomware is now available on the dark web ‘as-a-service’, and has been for some time, now its continued spread is inevitable.
What last year’s WannaCry outbreak exposed was the surprisingly poor security practices employed. It’s pretty much unforgivable to run XP when it is no longer supported, and given that even basic security practices such as running zero-day detection antivirus and sandboxing would stop ransomware, you have to question the levels of cyber security awareness many organisations have. Hopefully GDPR will change this but the reality is that some will beef up security and some won’t, and there will be more ransomware victims during 2018.
One area to keep an eye on in the coming year is phishing. Phishing mails have become incredibly sophisticated and even the most aware among us can initially fall victim to them. Spear phishing steps up this level of sophistication by several notches, and given that malware based around artificial intelligence supported malware is entering the scene, it’s going to raise the stakes even higher.
In some senses artificial intelligence is in its infancy and still has a long way to go, but ‘smart’ malware can actually imitate email styles, including spelling errors, tones and a preference for certain words, so how long before AI-driven spear phishing makes an entry?
Given that spear phishing is a high-stakes game in which fraudsters stand to make significant gains if successful, we could well see AI-supported malware appear in 2018. It will likely be used in carefully crafted, well-planned attacks that target individuals, but as with smart device attacks, this knowledge will gradually filter down to the larger hacking community and will most certainly be used more widely.
Each year there’s a prediction that mobile-based crime will grow and its does incrementally but often without the attendant headlines. But mobile is fast becoming the number one online sales channel for UK retailers, according to management consultancy Capgemini.
In December 2016 e-commerce sales via smartphones rose 47% year-on-year. It’s a similar story across the rest of Europe. In the US, 40% of 2016 Black Friday sales were made via mobile. 2017 figures are even higher.
You also just have to look at some of the businesses that support m-commerce sales, particularly m-commerce app developers, and see how they are growing rapidly. This provides another perspective on the increasing popularity of m-commerce sales.
Cyber fraudsters are naturally drawn to the honeypots where they can make the biggest gains. The bigger the commercial activity the greater the potential rewards for fraudsters. And because mobile e-commerce is growing significantly, and millions of smartphones are now used for online shopping and banking, simple logic suggests that there is going to be a major upturn in financially driven attacks aimed at mobile devices during 2018 and especially around seasonal sales periods.
Written by Paul Lipman, CEO at consumer cyber security company, BullGuard