Five Web App Security Predictions for 2022

The year 2021 was eventful in the cybersecurity space as businesses continued to grapple with the post-COVID explosion in all things digital. At the same time, social distancing regulations have become more relaxed in recent months, which has allowed people to once again go outside and get off their devices. Cybercriminals have capitalized on these shifts to evolve their attacks once again.

Last year, we made five predictions for 2021. We correctly predicted stronger cybercrime communities and collaborations between them, and we’ll double down on that for the coming year. As we forecast, the increased adoption of GraphQL has led to more risk there. We correctly predicted growing bot attacks on hype sales, and indeed we have seen advancing sophistication and overall growth in attacks and tools built to target these coveted items over the last year.

We also forecast that the DevSecOps function would become mainstream. It is hard to call it mainstream yet, but it is definitely trending in that direction. Lastly, we speculated that “Buy Online Pickup In-Store” (BOPIS) would become one of the fastest growing fraud types. It is definitely a vehicle for fraud, but not at the level we thought it might be as many e-commerce merchants adopted safer authentication and verification methods to address this risk.

Now it’s time to look ahead to 2022. We predict spikes in custom malware, bot attacks and post-login fraud. Businesses will expand their security focus to include not only login and payment fraud, but also other types of fraud at different stages of the digital journey. Because of this, we believe 2022 will be the year of comprehensive account protection. This means approaching security from a perspective of the user’s account integrity and providing multiple tiers of protection throughout the application journey and the account lifecycle. Along that theme, here are our top five predictions for the coming year.

1. Preventing supply chain attacks will increase in priority

In December 2020, the SolarWinds hack was responsible for one of the biggest and most damaging supply chain attacks in recent history. The attack affected up to 18,000 organizations, including Microsoft and the US Government. Witness testimonies continued well into 2021, leading experts to predict that it might take years to fully account for the fallout. And Nobelium, the hacker group behind the SolarWinds attack, isn’t done yet. Just last month, CNBC reported that Nobelium has “been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.”

At the same time, regulations on data privacy are getting tighter. First came the General Data Protection Regulation (GDPR) in 2016, which set parameters for when and how digital businesses could collect and sell information about consumers in the European Union. California responded with two pieces of legislation, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Now, New York is in the process of enacting its own legislation. This follows on the heels of a lawsuit alleging that Dunkin’ Brands Inc. failed to implement appropriate safeguards to protect consumer data. The company agreed to notify and refund hacked customers, and pay an additional $650,000 in penalties and costs as a result.

Until recently, account takeover (ATO) attacks have been measured only by direct payment losses, but now we’re starting to see fines and lawsuits as well. Regulators are increasingly calling on brands to be held accountable for users’ personal data. As they recognize their responsibility to protect PII, we expect online businesses to further tighten security and increase control and visibility into their data access. The SolarWinds attack reminded us that shoring up your software supply chain is critical to ensuring data protection, and that no one — not even the US Government — is guaranteed to be safe. According to a recent survey, 92% of website decision makers lack complete visibility into their software supply chains. Getting this visibility will be a top priority for companies aiming to prevent a major data breach and avoid massive regulatory fines in 2022 and beyond.

2. Over 50% of the largest 100 marketplaces will be hit by custom malware

Cybercriminals are increasingly tailoring their attacks to a company’s business model, rather than taking a one-size-fits all approach. By building malware that’s specifically designed to attack a single app, hackers can evade signature-based detection and steal massive amounts of sensitive information.

In June 2021, researchers discovered a 1.2-terabyte database of stolen data. The information was collected from 3.2 million Windows-based computers by custom malware that spread via trojanized Adobe Photoshop versions, pirated games and Windows cracking tools. Included in the database were 6.6 million files, 26 million credentials and 2 billion web login cookies, 400 million of which were still valid at the time of the database’s discovery.

Custom malware is inexpensive and readily available on the dark web. Attack tools are becoming commoditized and expert services are more widely offered by different hacker communities, making custom malware much more accessible and easy to build. YouTube is full of videos showing how to build and deploy malware on specific apps. One ad offered custom malware and lessons on how to use stolen data for just $100. We are witnessing the rise of a “Crime as a Service” (CaaS) ecosystem, which fuels an uptick in custom malware that targets specific applications or websites. Over the last year we have detected multiple cases of such custom malware targeting our customers. With its low barrier to entry and high potential to yield results, custom malware will become a more popular attack vector in 2022.

3. Digital businesses will focus more attention on addressing the post-login wasteland

Legacy solutions designed to prevent account takeover (ATO) attacks generally focus on one primary activity: login. They ask for credentials, serve up CAPTCHAs and, where possible, leverage multifactor authentication (MFA) to verify that the right credentials are being used. Unfortunately, account fraud isn’t that simple.

Validated credentials and account access can be acquired in ways that won’t be detected by credential stuffing protection. A few examples are malware stealing access tokens or key-strokes, social engineering, phishing, PII harvesting, or even just purchasing a list of validated usernames and passwords on the dark web. In these cases, the fraudster has the correct credentials and will pass through login security checks. Even MFA can be bypassed by malware stealing access tokens. This allows fraudsters to take over accounts and abuse them in a number of ways, such as stealing credit card information, changing account details including ship-to information and depleting loyalty points or credits accrued in the account. Once an account has successfully been accessed, downstream checks often don’t exist. We call this the “post-login wasteland.”

As cybercriminals find ways to bypass login checks it is necessary to implement additional checkpoints that provide broader visibility and control over account activity. Of course blocking bots is critical and necessary, but it doesn’t address the entire challenge. The post-login wasteland has been barren for far too long, and this leaves unprotected territory for cybercriminals to take over. In 2022, we expect online businesses to adopt solutions that address this issue. Understanding if a user is indeed who they say they are — and if their post-login activity is legitimate — will be key to maintaining accounts’ integrity.

4. Fraud will have a material impact on the EPS of a public company this year

In the past, many companies have brushed off fraud as just “a cost of doing business.” Business leaders have become somewhat accustomed to seeing fraud as an expense that while always present, is tolerable to the organization. Relative to other larger expenditures, focusing efforts on reducing fraud simply hasn’t been worth their time.

In line with the greater availability of custom attack tools and post-login fraud, we expect that overall fraud on online businesses across industries will increase. This will drive a change in mindset in 2022, as business leaders realize that fraud has a material impact on companies beyond just financial services. Recent research has shown that bad bots negatively impact 75% to 80% of operational costs for online retailers, which translates to between 18% and 23% of net revenue. When fraud translates to a few pennies’ impact on earnings per share (EPS), it will act as a wake up call for businesses to become more proactive.

Many business leaders zero in on payment fraud as the greatest risk, but this is just the tip of the iceberg. Other types of fraud — such as transferring funds, emptying gift cards and opening new credit applications — can be just as damaging to your revenue and brand reputation. As the impact of fraud continues to grow both in scale and sophistication, more businesses will have to start paying attention. They will come to recognize fraud at every entry point along the digital journey and will adopt solutions that can mitigate this risk.

5. At least one large retailer will abandon user/password verification and transition to passwordless or device-based authentication

The 2021 Verizon Data Breach Investigations Report (DBIR) found that 61% of this year’s data breaches involved credential data. And fraudsters no longer have to go through great lengths to get them. As I mentioned above, there are a variety of easy ways to obtain usernames, passwords and other personal information. Bad actors can purchase billions of credentials for as little as $2 and test them in automated credential stuffing attacks.

Security leaders have been laser-focused on protecting credentials, so much so that they may miss the larger shifts in the cybercrime landscape. Because stolen credentials are so widely available, getting usernames and passwords is no longer a deterrent to cybercrime — so businesses need to rethink their fraud prevention strategy. This means preventing not only the theft of credentials, but also the validation and fraudulent use.

Many enterprises have already enabled identity management solutions, single sign-on and passwordless verification to make credentials obsolete. After all, bad actors can’t steal your password if you don’t have one. In 2022, we predict that a few consumer-based businesses will begin to follow suit and eliminate the need for credentials altogether by adopting stronger solutions that do not rely on credentials only.

Looking ahead to 2022

To sum up our predictions, 2022 will be the year that security and business leaders will recognize just how varied fraud really is. Digital businesses will go beyond the granular focus on one type of attack versus another, and instead ensure that the integrity of their customers’ accounts and identities are protected at every stage of their online journey. This means adopting a platform that continuously learns and evolves in real time to detect and stop the abuse of identity and account information on the web. Enabling comprehensive account protection will be the only way to fight fraud on all fronts.

To learn more about these predictions and how to set your digital business up for success, click here to register for our webinar.

Originally published at https://www.perimeterx.com on November 16, 2021.