By Stu Sjouwerman at KnowBe4 Inc.
As the world becomes increasingly connected and automated, the stakes have never been higher. Per recent estimates, cybercrime is set to become the third-largest economy this year and will cost the world a whopping $10.5 trillion by 2025. Let’s explore the top 10 attack methods used by cybercriminals.
- Bait And Hook
This is one of the most widely used attack methods that phishers and social media scammers use. Attackers try to set up or create a situation where it seems natural, normal or helpful to provide requested information or to click the link that’s displayed. Attackers carefully study and understand human psychology to craft phishing messages that are designed to get victims upset, curious, excited or anxious so that they fall for the bait and respond immediately. Fraudsters are using the Covid-19 crisis as bait to hook people into a variety of cyberscams.
- Disguise And Conquer
Once the victim opens a phishing page, chances are it will be a very convincing imitation of the sender and its website. After all, anyone can grab the source code and graphics from a website to create a webpage that looks and feels like the original. There’s a chance you’ll notice some formatting errors such as odd combinations of headers and footers or a font mismatch, although this may not always be the case. Google data saw a record-breaking 2 million phishing websites in 2020, a trend that accelerated following the beginning of the pandemic.
- Hidden And Malicious Payloads
Even if victims don’t provide the requested information on the phishing site, clicking the link can sometimes be good enough for cybercriminals to get a foot in the door. That’s because malicious pages often try to automatically install malware (aka drive-by downloads) on unsecured and unpatched PCs. Drive-by downloads rely on “active content” to work on a web browser. Active content means there’s code inside one or more objects on a webpage that gets triggered when a webpage is downloaded. Modern forms of active content are built into web browsers (such as HTML5 and JavaScript), while older forms of active content (such as Flash and ActiveX) require special browser add-ins — although these are widely available for most browsers. When a browser downloads a webpage, it interprets hidden instructions inside active content, and this can provide unauthorized and unfettered access to bad actors.
- Information Harvesting
Newer forms of cyberattacks harvest personally identifiable information (PII) prior to an actual attack. They use clever social engineering techniques to entice victims to provide information such as names, passwords, dates of birth and occupations. Gathering PII allows the attacker to take further action by, for example, disguising as a trusted source, compromising accounts or gaining full remote access to a computer.
- Malvertising
Banner ads have come a long way since the days of brightly colored images. Today’s ads are rich with Flash, JavaScript or other application code that provides a contextual experience to shoppers. Unfortunately, this has introduced an ability for attackers to inject malicious code into advertisements. Simply viewing a malware-laced ad can launch a drive-by attack as described earlier.
- Webcam Hijacking
Once cybercriminals break into a machine, they have the option to take control over the computer’s video camera to stealthily view and record anything that is going on or near the computer. Clever attackers can use this sensitive information to blackmail the victim or study the activities of whoever is in the room to chart a further course of attack.
- Business Email Compromise
Business email compromise (BEC) is one of the most profitable forms of cybercrime. All the hacker does is break into a corporate email account of someone in a position of power like the CEO. The criminal then studies the habits and communication styles of the individual for weeks or months. The hacker will then masquerade as the individual — for example, sending out emails to instruct the CFO or payroll to execute a wire transfer or make payments to a third party. This technique is highly effective, as few people question the actions taken by a CEO. As such, almost half of cybercrime losses in 2019 were attributed to BEC scams.
- Cryptocurrencies
The use of cryptocurrencies like Bitcoin is growing in popularity. As of March 2020, the value of all bitcoins in circulation was about $160 billion. Of course, attackers go where the money is, so they are known to target Bitcoin users and cyptocurrency exchanges. As the preferred mode of payment for all major ransomware attacks, cryptocurrency is virtually impossible to trace. The availability and anonymity of cryptocurrencies have caused an exponential rise in ransomware attacks.
- Bring Your Own Device
BYOD is the concept whereby employees use their own personal smartphones, tablets and laptops for their work instead of using company-provided equipment. This causes fresh concerns, as these devices are outside company control and its security perimeter. A user can easily plug their smartphone into their work computer and infect it with a virus or introduce malware or ransomware into the network. A STX Next survey (via Infosecurity Magazine) found that more than half of all global organizations do not carry a BYOD policy.
- Internet of Things
With 5G on the horizon and smart devices going mainstream (light bulbs and sockets, speakers, home appliances, security cameras and home alarm systems, etc.), hackers are breaking into such devices and reprogramming them for nefarious purposes. Most IoT devices have weak security and authentication mechanisms, which attackers exploit to their advantage. According to Nokia (via Help Net Security), IoT devices now make up roughly 33% of all infected devices globally.
Cybersecurity is all about risk management, and the only way you can truly decrease your risk is by deconstructing the motives, means and methods that cybercriminals use. Once these attack vectors are understood well, you can begin building appropriate defenses.