Cybercrime risk and how to mitigate it is routinely discussed at NeuGroup meetings, and the common argument that because successful attacks are inevitable companies must focus on minimizing the damage appears to be holding water. That’s because just about all types of cyberattacks are increasing, according to a report from security software provider Symantec.
In a June presentation, Kevin Haley, director security response at the Fortune 500 company, introduced the findings of its 2018 Internet Security Threat Report by noting that the top 100 free applications for Apple and Android phones request access to the phones camera and microphone, and the ability to read photos, other media, and files.
“That seems ridiculous. Why would a flashlight app need those permissions?” Mr. Haley said, proceeding to then remind listeners that technology companies generate revenue by selling the consumer data those applications collect.
He also noted that Symantec recently scattered “lost” smart phones in random urban settings to test what people would do with them, revealing a few important insights. One, the strangers didn’t hesitate searching for the smart phone for personal information, including financial information and personal photos; and two, the ability to track the smart phone’s whereabouts displayed where the strangers worked, lived and ate lunch—essentially revealing their identity.
His description illustrated the ease with which software today can collect data, often without the device user ever knowing. Mr. Haley went on to discuss Symantec’s cyber-attack findings:
Why corporates should root for cryptocurrencies increasing in value. Symantec found that rising cryptocurrency prices in 2017 resulted in a dramatic increase of “cryptojacking” incidents, when cyber criminals surreptitiously mine for bitcoin and other crypto coins on victims’ devices. Those incidents fell last year alongside crypto-currency prices, and cyber criminals turned their attention to the types of attacks that are of more concern to companies. The price of bitcoin, the most common cryptocurrency, has skyrocketed this year, perhaps easing attacks on corporate systems.
Formjacking credit-card details increases. One area where cyber-criminals increased focus last year was “formjacking,” when they insert malicious JavaScript code to steal credit card details and other information from the checkout web page of eCommerce websites, putting many companies at higher risk. Symantec found that 4,818 unique websites were compromised each month in 2018, and its software blocked more than 3.7 million attempts, with a rush of attacks occurring in November and December. British Airways, Ticketmaster and British electronic retailer Kitronik and contact lens seller VisionDirect were each breached. “The surge in formjacking attacks in 2018 reinforced how the supply chain can be a weak point for online retailers and eCommerce sites,” Symantec says.
Sneaking in via supply chains. Symantec says the increase in formjacking reflects the growth in what it refers to as “supply chain” attacks, which it says increased by 78% in 2018 from the year before. Those attacks exploit third-party services and software to compromise a final target, such as a corporate eCommerce website. The attacks take many forms, Symantec says, including hijacking software updates and injecting malicious code into legitimate software. “Developers continue to be exploited as a source of supply-chain attacks, either through attackers stealing credentials for version control tools, or by attackers compromising third-party libraries that are integrated into larger software projects.
Living off the land. Attackers are opting for off-the-shelf tools and operating system features to conduct attacks, Symantec says, with Microsoft Office files accounting for 48% of all malicious email attachments, up from only 5% the year before. They typically used macros in Office files as the preferred method to propagate malicious payloads, while experimenting with malicious XML files and Office file with DDE payloads.