It’s often said that the only constant in life is change. This certainly rings true in the realm of internet security, where the struggle between those who are trying to protect the digital world and those who are trying to exploit it remains a long-standing game of cat-and-mouse.
Volume 20 of Symantec’s Internet Security Threat Report (ISTR) reveals that cyberattackers are infiltrating networks and evading detection by hijacking the infrastructure of companies and turning it against them, while extorting end-users through their smartphones and social media to make some quick cash.
With high-profile breaches constantly making headlines, people are more aware of their cyber “risk factor” than ever before—but many still aren’t taking action or are stuck fighting against old tactics rather than facing attackers head-on.
In 2014, we saw attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them. Once a victim had downloaded the software update, attackers were given unfettered access to the corporate network. Highly-targeted spear-phishing attacks remained a favorite tactic for infiltrating networks, as the total number of attacks rose eight percent. What makes last year particularly interesting is the precision of these attacks. Spear-phishing attacks used 20 percent fewer emails to successfully reach their targets and incorporated more drive-by malware downloads and other web-based exploits.
We also found that attackers are:
- Using stolen email accounts from one corporate victim to spear-phish other victims higher up the food chain
- Taking advantage of companies’ management tools and procedures to move stolen intellectual property around the corporate network before exfiltration
- Building custom attack software inside the network of their victims to further disguise their activities
Malware creation is increasing
While these advanced attacks may grab most of the headlines, it’s important to recognize the prevalence and continued growth of malware, which increased 26 percent in 2014. In fact, there were more than 317 million new pieces of malware created last year—that’s nearly one million per day!
Symantec has observed that malware continues to grow in quality, as well as quantity. Malware authors have continued to discover new platforms to feast on and new ways to avoid detection. We saw a peak of 28 percent in 2014 of malware that was “virtual machine aware.” This should serve as a wake-up call to security researchers who are dependent on virtual sandboxing to observe and detect malware, as virtual environments do not provide any level of protection.
Digital extortion on the rise: More devices held hostage in 2014
While most people associate “extortion” with Hollywood films and mafia bosses, cybercriminals have used ransomware to turn extortion into a profitable enterprise, attacking big and small targets alike.
Ransomware attacks grew 113 percent in 2014, driven by a more than 4,000 percent increase in crypto-ransomware attacks. Instead of pretending to be law enforcement seeking a fine for stolen content, as we’ve seen with traditional ransomware, crypto-ransomware holds a victim’s files, photos and other digital media hostage without masking the attacker’s intention. The victim will be offered a key to decrypt their files, but only after paying a ransom that can range from US$300-$500 with no guarantee that their files will be freed.
While these attacks have traditionally only plagued PCs, we’re seeing more ransomware crop up on other devices. Notably, we observed the first piece of crypto-ransomware on Android devices in 2014.
Take back control of your data
It may seem like attackers are overwhelming us at every angle, but as they persist and evolve, so do we. There are many simple steps you can take right now to get ahead—and stay ahead—of attackers.
- Don’t get caught flat-footed: Use advanced threat intelligence solutions to help you find indicators of compromise and respond to incidents more quickly.
- Employ a strong security posture: Implement multi-layered endpoint security, network security, encryption, and strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.
- Prepare for the worst: Incident management ensures your security framework is optimized, measureable, and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
- Provide ongoing education and training: Establish guidelines and company policies and procedures for protecting sensitive data on personal and corporate devices. Regularly assess internal investigation teams and run practice drills to ensure you have the skills necessary to effectively combat cyber threats.
- Use strong passwords: This cannot be emphasized enough. Use strong and unique passwords for your accounts and devices, and update them on a regular basis—ideally every three months. Never use the same password for multiple accounts.
- Be cautious on social media: Don’t click links in unsolicited email or social media messages, particularly from unknown sources. Scammers know people are more likely to click on links from their friends, so they compromise accounts to send malicious links to the account owner’s contacts.
- Know what you’re sharing: When installing a network-connected device, such as a home router or thermostat, or downloading a new app, review the permissions to see what data you’re giving up. Disable remote access when not needed.
For more information on the ISTR and to read the full report, please visit symantec.com/threatreport.