From the hacking of female celebrities’ phones to the massive cyberattack on Sony that ignited geopolitical tensions, it’s clear that cybercrime is on the rise and here to stay. Like diseases which evolve to render antibiotics ineffective, the nature of these crimes adapts in response to improving cybersecurity tactics, and the sheer variety and hybrid nature of virtual thefts, denials of service, and other methods is unprecedented.
The Pew Research Center’s State of Cybercrime Survey (2014) reports that the U.S. Director of National Intelligence ranks cybercrime as the top national security threat, above terrorism, espionage, and WMDs. While stealing data is one common form, extortion, data destruction, release of confidential information, demonstrated denials of service (DDoS), disrupting state infrastructure, and holding information ransom have all become tools in the arsenal of global cybercriminals.
1. State-sponsored attacks
The Wall Street Journal (2014) reports that espionage (especially for financial gain) and threatening to disrupt invaluable infrastructure (e.g., power grids, water systems, traffic control, etc.) are two tactics that may be on the rise for state-on-state cyberattacks. Critical infrastructure systems may be easier to target than newer companies due to their legacy architecture and ability to fully disrupt the lives of vast groups of people. The White House has taken preventive measures against these types of attacks. The Hill (2014) notes that the Justice Department has added three new, senior officials to the National Security Division (NSD) which coordinates measures against cybercrime at all levels of law enforcement.
While the possibility of state-sponsored attacks incite fear in some, not all of them are conducted for nefarious or self-serving purposes. Anonymous, for example, has pledged to level a cyberattack against the pseudo-nation ISIS in response to a long history of extremist brutality and cruelty.
2. Targeted attacks and “smart spam”
The Guardian (2014) surveyed a variety of cybersecurity companies (e.g., BitDefender, Symantec, Proofpoint, AdaptiveMobile, etc.) and found that advanced persistent threats (APTs) or “sophisticated spam” will likely rise in 2015. These crimes normally leverage psychological manipulation to incite victims to reveal confidential information or perform actions. The victims of these attacks range from large firms who hold valuable intellectual property or industry blueprints to individuals who fall prey to spear-phishing, watering hole tactics, and “malvertising” on social media.
3. Selective targeting of banks and healthcare companies
While rampant attacks on financial institutions aren’t a surprise, cybercriminals are increasingly turning to healthcare companies which hold a variety of confidential information on patients. According the the Identity Theft Resource Center, there were 720 major data breaches in 2014, including well-publicized attacks on Target and Home Depot. The largest proportion of these attacks (42.2%), however, affected the health industry. These sensitive records can be used to commit identity theft and other types of fraudulent activities. Even more alarming is the fact that many of these types of attacks never reach the public record due to confidentiality reasons and are likely much more common than this study suggests.
People will often go to dramatic lengths in order to free up locked information systems or to prevent sensitive information from being leaked to the public. According to Symantec and other companies, ransomware is a menace on the rise. Cybercriminals will extort money from victims by locking their devices remotely or by obtaining embarrassing photos, documents, and other material that can be dangled for a price. The Guardian (2014) reports that one type of ransomware called Cryptolocker was responsible for 55% of all attacks in October 2014. It encrypts people’s important files and then demands money in order to unencrypt them. ESET Research (2014) adds that last year, Yahoo, Match and AOL were all hit by ransomware, indicators that this will continue to be a popular type of cybercrime in 2015. Threatpost notes that in December 2014, Georgetown Law’s panel Cybercrime 2020: The Future of Online Crime and Investigations stated that “ransomware is the future of cybercrime.”
5. Mobile payment systems
In 2014, Apple launched Apple Pay, one type of mobile payment system among many launched by companies and trade associations. These haven’t been thoroughly tested to withstand cyberattacks, and Trend Micro believes that mobile commerce will be a hot target for cybercriminals in 2015. Various malware families such as JacksPos or Dexter which may have been responsible for the 2013-2014 attacks on Target (40 million credit cards exposed) and Home Depot (56 million cards exposed) demonstrate the devastating scale of these breaches. That said, the vulnerability of a specific point-of-sale (PoS) system is expected to correlate with its popularity among consumers. In other words, if hardly anyone is using Apple Pay, it will likely be a low-priority target for cybercriminals.
While these five types of attacks are expected to dominate the cybersecurity landscape in 2015, there are various countermeasures that can help protect consumers and businesses: