Following a year in which organizations both large and small have faced an unrelenting barrage of cyberattacks aimed at crippling their operations and stealing sensitive data, a new report from Experian predicts that hackers will look to build on the success they’ve reaped thus far from ransomware, phishing and other schemes with new and varied approaches to cyber fraud in 2020.
As any good investor will tell you, diversification is not only a key to long-term financial growth, but it also serves as good protection against market volatility. Such is the case for hackers who rather than rely upon tried and true methods must look to new and creative ways to launch cyberattacks lest the opposition become too comfortable in combatting their techniques.
Experian, which is now in its seventh year of releasing the annual Data Breach Industry Forecast, has had an uncanny record of predicting the types of attacks that malicious actors have leveraged over the past several years, including the influx of attacks experienced in the healthcare sector and the efforts to infiltrate the campaigns of presidential candidates in 2016.
“Our track record over the past six years has been pretty good,” Michael Bruemmer, Vice President at Experian Data Breach Resolution, says. “Because of our experience working with different clients in many geographies and with different circumstances… we have a pretty good perspective.”
Just as companies and security professionals begin to wrap their arms around one vulnerability exploited by cyber criminals, another one seems to take its place, and this will again be the case in 2020. Among the predictions made in this year data breach forecast include:
1). Cybercriminals will leverage text-based “smishing” identity theft techniques to target consumers participating in online communities.
Like email phishing in which a malicious actor spoofs the email of a customer, partner or manager of a company to steal money or gain login access to their network, smishing attempts to do the same thing via an SMS text message. In fact, Bruemmer says that he was recently targeted by hackers using this very scheme.
The smishing text Bruemmer received purported to be from Citibank’s fraud department asking him to click on a link to verify some information.
“I actually called them up and I said, ‘Hey, did you just send me a text?’ And they said, ‘No, we did not.’” he explains. “It's really simple to do and it capitalizes on what we call online tribalism – you're a member of a group that you trust and you're not paying attention and you click on a link.”
2). Hackers will take to the skies to steal consumer data from devices connected to unsecure networks.
This is essentially a form of electronic eavesdropping that uses a combination of technologies to try and steal sensitive data from consumers and businesses alike. With the rise in public Wi-Fi networks, Bruemmer says that cyber thieves can attach what’s referred to as a Wi-Fi Pineapple device to something like a drone to spoof one of these public networks and monitor the network communications of those who connect to the bogus hotspot.
“We've seen this Pineapple device used in a stationary situation, but with drones the hackers can be portable and it's even harder to get caught,” he says.
3). Cybercriminals will use deepfake technology to disrupt the operations of large commercial enterprises and create geo-political confusion.
While artificial intelligence-powered technology is expected to have a tremendous impact on both physical and cybersecurity as we move into the next decade, there have also been concerns about how it could be potentially misused by criminals and other nefarious actors to paint politicians and corporate leaders in a potentially negative light. Actor, writer, director and producer Jordan Peele famously demonstrated how such technology could be used to make former President Barack Obama make fabricated statements in an online video.
Obviously, the implications of a world leader being portrayed to say something inflammatory are enormous but the same holds true for private sector executives. Earlier this year, an AI-generated deepfake voice was used to con the CEO of an UK-based energy company out of more than $240,000.
4). Cybercriminals will execute a major hack of the mobile point-of-sale platforms used to process transactions.
Given how payments have gone increasingly mobile in recent years, Experian believes it is likely cyber thieves will attempt to exploit vendors at large venues like concerts or sporting events over the next year.
“Think of taxi cabs, special events, outdoor concerts, and even the proliferation of mobile food trucks where you don't pay with cash,” Bruemmer explains. “You go up, the guy has his cell phone with a plug-in (payment) device connected to it or he hands you another device to be able to put in your information with your credit card and you have no idea what the security is on this device or where your data may be going.”
5). Burgeoning industries, such as cannabis retailers and cryptocurrency entities, will be targeted for cyberattacks as a result of online activism or “hacktivism.”
Finally, Experian predicts that these two industries, along with green energy will be singled out for cyberattacks throughout the course of 2020 due largely to their social influence and lack of a robust cybersecurity posture.
“We think because there are so many emerging companies focused on growing their business and not necessarily on cybersecurity, that many of these companies that are participating in those three industries are going to neglect cybersecurity – especially not training employees properly on cybersecurity – and that they'll be in the news with some big breaches,” Bruemmer adds.
Hacking Becomes More Egalitarian
One of the things that concerns Bruemmer the most in looking at the current cybersecurity landscape is how easy it has become for relative tech novices to launch sophisticated hacking schemes.
“It used to be the professionals that hacked, and it was limited to very highly technical individuals. But hacking continues to be made much easier because in these online forums on the Dark Web, you see kits that you can buy with tools, whether it is a malware kit or Pineapple device,” he says. “These Pineapple devices are about the size of a cigarette pack and are $50 to 90 bucks on the low-end side. You can actually buy them on Amazon, get your own drone, and can set all this up by watching a YouTube video… and you can become a hacker overnight without having the technical training.”
Bruemmer says he is particularly concerned about the potential of deepfakes to disrupt organizations in 2020 and beyond.
“That one scares me more than anything else because although you can tell some of the deepfake technology due to the eye blinks on (videos), etc., it is getting much better and there could be socio-economic implications to (someone) using it,” he says.
Mitigating the Threat
As always, Bruemmer says one of the biggest keys to mitigating these and other cybersecurity threats is having a well-trained workforce that doesn’t fall for some of these simple tricks and implementing protocols that would prevent the release of funds or data to someone in the event that a hacker successfully fools an executive or other employee.
“We still see employees as the weakest link in organizations' cybersecurity defenses because of the technology, especially with artificial intelligence, that's being used to detect patterns, to be able to scan logs and look at all the necessary intrusions,” he says. “Where we see the fall, or the cracks are in social engineering with administrators and employees getting fooled.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].