Are Hackers Getting Ahead of Cyber Security?
“‘… As phishing becomes more profitable, hackers are becoming increasingly sophisticated in the methods they use to steal passwords’, according to Tanmay Ganacharya, a principal director in Microsoft’s Security Research team.’”
We’re getting pretty used to seeing press releases like this on an ongoing, almost daily, basis. So it appears on the surface that cyber security teams are playing a losing game of catch-up as hacker shenanigans (particularly Ransomware of late) escalate.
The good news is hackers are not necessarily becoming more tech savvy. While with any tech (or crime in general, for that matter), there are standouts on both sides of the coin, hackers are not creating shiny new code en masse that is circumventing or breaking proven/updated cyber security measures, making security analysts reach for the Rogaine and re-examine their views on futility. In fact, many of the common threat tactics aren’t new at all. Instead, attackers are constantly refining older, proven methods to work around defenses.
Also bear in mind that many of today’s attacks are of the “low hanging fruit” variety such as weak database credentials, public exploit vulnerabilities, etc. In other words, hackers are not significantly more sophisticated, it’s just they’ve come up with a working set of discovery & exploitation tools to sweep and grab what comes back in these results with minimal effort. The effectiveness of these techniques is of course bolstered by the large amount of businesses that have improper, dated, or simply no protections in place to secure themselves.
Some Resurgence Retro Hacker Techniques
Many cyber security professionals note that Typosquatting is big again. With this phishing scheme (aka “URL hijacking”), attackers buy domains that are a slight misspelling of popular websites, like goggle.com or yuube.com. The tactic was a mainstay of the early days of the internet, but has recently seen a resurgence.
Another method that has been around since hacking became profitable is the use of fake credential pages and fake company emails. Not only are these also becoming more sophisticated, but they are getting better at targeting our fears and emotions. The broke Prince of Tanzaniania may not fool us anymore, but many emerging schemes can. And do. A good example of this is Lokibot, a commodity that capitalizes on our fears around COVID-19 and things like our obsession with gaming.
Why It Appears the Bad Guys are Winning
With some clever use of VPNs, backed with some easily obtainable “how-tos” on Reddit and YouTube and a plethora of idle time locked in one’s domicile, Phishing-as-a-service is becoming a booming cottage industry; it’s viewed as a home business, one that is both profitable and relatively low risk, especially to minors who only get a slap on the wrist if they get caught before tried as an adult.
It certainly doesn’t help that big corporations have been known to acquiesce to Ransomware demands and sweep everything under the rug, concerned more about shareholders and stock value over actual online safety for their customers and employees. Things are always a little shaky when the bottom line is the bottom line.
And of course, there’s the catch-22 cycle of the more something is in the news, the more popular it becomes, increasing the likelihood of nefarious curiosity. This is true for most media trends — the uptick of people that blur the lines between fame and infamy in pursuit of an easy buck or, perhaps worse, popularity.
Yet the biggest culprit in all of this is simply history. The more time goes on, the more case studies one has to pull from, the more information that is out there to cull from, therefore the more informed and savvy one can get. History doesn’t change, it just adapts.
If Old Works for Them, Old Works for Us
Don’t get me wrong, the cyber security industry always needs to look forward; needs to stay proactive and anticipate hacker trends and techniques, and find better ways to shore up infrastructures. But we can’t forget the need to look back at what works. At the crux of it all, the leakiest culprits are still default, easy, old and reused passwords, ignored dead accounts and good ole fashioned social engineering. Remember this mantra: hackers tend to log in, not break in.
Let’s go back to school and this time pay attention to the basics; vigilance, common sense — and don’t be so damn lazy.