Cybercrime Predictions 2012

In the past year, we have seen cyber attacks of unprecedented sophistication and reach. Just look at the names of victims: one of the world’s largest Email Marketing Firm, Epsilon; the computer security vendor RSA whose network was announced to be hit on March 17, 2011 by an Advanced Persistent Threat (APT); Lockheed Martin; Sony Playstation (over 70 million accounts compromised); Google; CITI bank (hackers accessed over 200,000 accounts) and many other names, organisations, even governments. Those attacks demonstrate that the bad guys are well-prepared technically and even financially to com¬promise and control millions of computers that belong to governments, private enterprises and ordinary citizens.

My outlook for 2012 has been influenced by a variety of factors, including working with various security awareness programs, talking to IT staff at organisations large and small, and collaborating with my colleagues in ESET’s research facilities around the world. I believe that today not only patching and coding, but collaborative research, education and awareness are required to battle advanced and large-scale botnet attacks, mobile application exploits, and manipulation of online information which are considered the main cyber threats of upcoming year.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

What is important for governments and corporate sector is to continue establishing the reliable network security protection on all the levels. That refers to organisation of all sizes, by the way. Many small businesses don’t have access to skilled staff that they can dedicate to securing their network or at least their payment systems. This fact hasn’t escaped the scammers’ attention. As attacks on larger organisations are met with sophisticated defenses it makes sense to target the smaller ones that lack the budget for a dedicated security specialist, or specialised security equipment to guard against a breach. However, being unable to afford skilled security staff or specialised equipment does not mean SMEs can afford the expense of a breach.

To round out our series of malware and cybercrime predictions here are some of my thoughts on what the next 12 months will bring:

Threats involving mobile devices (including, but not limited, to new malicious code, as well as Internet fraud schemes) will be the most pressing issue in 2012, in addition to the appearance of new types of attacks and variations of the existing ones. By October 2011, ESET had identified 41 major malicious code families (and variations) for the Android platform: 30 percent of threats were embedded in downloads from the Android Market, 37 percent were SMS trojans and 60 percent of the malicious code had some botnet characteristic, i.e. some kind of remote control over the device.

New devices give rise to new patterns of user behaviour, and new targets for attack, not only because they have a greater amount of sensitive information but also because these mobile devices one can be used to access systems that were previously accessible only through desktop computers. The growing popularity of smartphones and tablets is a new challenge for companies as many employees access company’s network from these devices. from office or simply keep a lot of company’s sensitive information on these devices. So BYOD (bring your own device) is definitely becoming a trouble for oranisations in terms of data loss.

Hacktivism, the hacking of information systems to advance a social or political agenda, was clearly a major trend in 2011 and will remain same in next year. That prediction was underlined by the news on Christmas Day that Anonymous had hacked Stratfor Global Intelligence, a think tank in Austin, Texas. So far, according to independent analysis performed by identity theft prevention service Identity Finder and published by VentureBeat, some 9,651 active credit cards, 47,680 unique e-mail addresses, 25,680 unique phone numbers and 44,188 encrypted passwords were hacked from the A through M name list published by Anonymous (we may see the N through Z portion of the list exposed in the next few days).

In 2012, I expect more high profile arrests of cyber-criminals but no abatement in criminal activity that seeks to profit at the expense of data owners. Some of these arrests will occur in conjunction with the takedown of botnets, but the number of botnets being created will not drop. Some of these botnets will be used for political purposes and some will be based on mobile devices. In other words, the struggle – to prevent data theft and abuse that is fueled by malware which enables botnets and employs mobile devices–will continue.

A big trend for 2012 is likely to be a shift in the propagation methods used by malware distributors. The traditional channels for malware and scams—such as email, instant messaging or USB devices—are likely to get less attention, while social engineering techniques deployed on social networks, search results poisoned by blackhat SEO techniques, and drive-by-downloads—malware installed on vulnerable and legitimate web sites—will gain favour as channels for infecting endpoints and compromising networks. Search poisoning is likely to be a popular attack vector in 2012, favoured by those bad actors who seek to cheat consumers and harvest their personal data or infect their systems. How deep into 2012 SEO poisoning will remain an effective attack strategy depends a lot on Google, far and away the leading source of Search results.

My penultimate prediction is that a lot of cyber-security awareness rising will take place in 2012. The PricewaterhouseCoopers Global Economic Crime Survey of 2011 indicated that 2 in 5 respondents had not received any cyber security training. A quarter of respondents said there was no regular formal review of cybercrime threats by the CEO and the Board. A stunning 60 percent of respondents said they don’t have, or are not aware of having, in-house capability to investigate cybercrime, and 40% said they don’t have, or are not aware of having, the in-house capability to prevent and detect cybercrime.

Finally, I would say that we’re guaranteed to get a bunch more cyber threat statistics thrown at us in 2012, so I leave you with a sampling of numbers I encountered during my research in recent weeks:

• The median annualised cost of cybercrime incurred by companies with over 700 employees in 2011: $5.9 million per year.

• Increase in median annualised cybercrime cost from 2010 study: 56 percent.

• Number of personal records exposed in largest security breach of 2011: 77 million.

• The going rate per record for credit card details on the black market today: $1 to $20.

• My ‘guess-timate’ of the total number of records containing confidential personal information exposed worldwide by security breaches/lapses in 2011: 120 million.

• Average per person amount lost to fraud in cases of identity fraud in 2010: $4,567.

• Cost to an organisation per compromised record, as reported in 2011 study: $214.

The author is security evangelist at ESET.