Proofpoint states that in 2017:
- Attackers will continue to exploit humans to install malware, transfer funds, and steal information, with significant changes in techniques and behaviour across the three main vectors that attackers use to target people: email, social media, and mobile apps.
- Advanced threats will shift to more targeted, lower volume campaigns, using more sophisticated tools to build and execute attacks that integrate social engineering.
- Business email compromise attacks will remain a major challenge for organisations, but gradual adoption of additional controls around transfers by large enterprises will shift the focus (and the losses) onto smaller and non-US businesses.
- Attacks via social media and mobile apps will increase in volume, severity, and effectiveness thanks to the adoption of automation and sophisticated toolkits by attackers.
- State-sponsored cyber attacks will increase in frequency and see renewed activity by countries that have been relatively quiet. These attacks will also take a greater variety of forms, from the traditional theft of state and industrial secrets to destabilisation and harassment via social media and information leaks.
Read on for more predictions by the company.
Advanced threats will turn down the volume
The year 2016 saw unprecedented highs in phishing email campaigns delivering Locky ransomware and hundreds of millions of potential victims with many thousands of the messages getting through.
With that volume came the increased risk that security vendors would see the new techniques and block them. Despite incorporating increasingly sophisticated filtering techniques designed to hide their campaigns, exploit kit actors found that scale carries as many risks as rewards.
Small will be the new big, as sophisticated threat attackers return to smaller, more targeted campaigns.
Malicious macros finally run out of gas
Malicious macros were relegated to smaller, more focused campaigns distributing banking trojans such as Dridex, Ursnif, Vawtrak, and a wide variety of other payloads – keyloggers, RATs, downloaders, and information stealers.
Cyber criminals will continue to improve and expand automation of spear-phishing campaigns in larger-scale “personalised” socially engineered, campaigns, adding more identifying, personal details to increase the credibility of their messages.
Attackers will focus more intensely on social engineering as a central part of the infection chain, by getting users to click on embedded executables within documents, tricking them into installing malicious payloads disguised as legitimate applications delivered as attachments, as links to legitimate hosting and file-sharing services, or disguised as familiar parts of the Windows user experience.
Exploit kits will become 'human kits'
Exploit kits (EK) use known vulnerabilities in computers and servers. There has been a steady decrease in the total number of disclosed vulnerabilities. With enterprise users patching more consistently and improved security of browsers and operating systems, attackers are simply not getting the ROI they need.
EKs will become "human kits" with an extensive toolset of techniques designed to trick users into infecting their own machine with a malicious payload via malvertising or click bait or through convincingly individualised emails, such as those seen in the “personalised” email campaigns during 2016.
EKs will not disappear but will be more focused on regions that are slower to patch and where monitoring by researchers is less intense.
Business email compromise will continue to evolve, and the big losses will continue
Business email compromise resulted in more than US$3 billion in losses, according to recent estimates.
Business process changes will all but eliminate the eye-popping individual losses of 2015 and 2016 by erecting more controls on transfer process of funds. But these changes will not be universal, and outside the major business environments of North America and Europe, it will remain possible for individuals to carry out these transfers.
There will continue to be seasonal variants on business email compromise attacks similar to the “W2 request” campaigns that marked early 2016, but these will remain relatively infrequent.
Angler phishing will be fully automated
Angler phishing has grown in the breadth of targets and the depth of social engineering techniques used. These attacks have not reached the levels of automation seen in exploit and phishing toolkits – you can still see copy-paste errors, grammatical and spelling mistakes, incorrect brands in messages, and other common mistakes that are the trademark of humans doing manual work.
Attackers will implement automation and some level of natural language processing to improve on their attack techniques. With the increased automation, attackers will scale up their targets to more brands and the number of victims they can message in each campaign.
Attackers have already shown an ability to be aware of things like product launches so that they can launch their campaigns at a time when a lot of communication is expected on social support channels.
The pace of attacks via social media will continue to increase and explore new frontiers
Social media’s hyper growth has paved the way for rapid growth of attacks used on their platforms as they offer a significantly higher rate of ROI.
The year 2017 will see:
- Social scams and phishing grow by more than 100% year-over-year;
- Social media spam grow more than 500% year-over-year;
- Significant increases in fraud and counterfeiting using fake social accounts; and
- Significant increases in integrated fraud techniques using social media accounts, fake mobile apps, fraudulent websites, and imposter emails.
Snapchat is just one social media platform in the crosshairs in 2017. It has become one of the hottest social networking and communication platforms, and it is ripe for major campaigns.
Social payment platforms like Facebook, Wechat, Line, and others will be subject to sustained attacks. These ecosystems will get the attention of hackers from both vulnerability and social engineering perspectives.
Mobile threats: The genie is out of the bottle
Malicious clones of popular apps (fake apps), increased use of side loading to distribute unauthorized apps, and the availability of targeted attack tools removed any lingering doubts that Android and to a lesser extent iOS mobile devices — and the humans who use them — are as vulnerable to attack as PCs.
In 2017, zero-day attacks such as Pegasus and the associated “Trident” vulnerabilities will no longer be confined to state-sponsored actors targeting dissidents but will affect companies and individuals.
Cybercriminals will increasingly use the SMS and iMessage systems to deliver malicious URLs and zero-day attacks. These will be both broad-based, such as phishing for bank account passwords and debit cards; and targeted, including attacks on employees and executives.
These malicious and risky apps will expand to include fraudulent apps, where users are socially engineered into installing apps that are not from the company from which they purport to be. These apps may be designed to infect mobile devices or to simply make money by using a legitimate company’s brand to trick users into fraudulent credit card purchases or to click on fraudulent ads.
State-sponsored attacks will increase and expand beyond hacking and data breaches
The new US presidential administration brings many unknowns to the realm of US policy in areas ranging from trade to defence. Upcoming elections in France and other European countries also have the potential to bring a similar level of uncertainty.
There will be a resurgence of state-sponsored cyber attacks, and, in particular, sophisticated, stealthy intrusions (a.k.a. APTs) targeting all branches of the US government from a wide range of countries, including renewed action by relatively quiet Chinese state-sponsored actors.
Email will remain the primary attack vector for targeting individuals and organizations that might have access to data that will help foreign states understand and anticipate the policies and plans of the new US and European administrations in diplomatic and trade negotiations.
The nature of state-sponsored cyber attacks will expand significantly beyond theft of secrets and industrial espionage. It will go after enterprise.
With the effectiveness of doxing (searching for private or identifying information about a particular individual), data theft, embarrassing disclosures, and disinformation already demonstrated in multiple countries, more governments will attempt to use cyber-attacks to steal information and leverage social media and news outlets to create discord and disruption in states that have the potential to interfere with the advancement of their interests.
In the social media realm, state-sponsored trolls have been used to target dissenters and critics, a practice already well-documented in Central and Eastern Europe, and evidence of it in the United States emerged during the months leading up to the US election. The year 2017 will see it employed more widely and more aggressively by a variety of state actors to influence public discussions and policy.