In 2017, attackers will continue to exploit humans to install malware, transfer funds, and steal information, with significant changes in techniques and behavior across the three main vectors that target people: email, social media, and mobile apps.
Advanced threats will turn down the volume
In 2016, every week seemed to see a new, unprecedented height in email campaigns delivering Locky ransomware. These campaigns target hundreds of millions of potential victims globally and ensure that even with low delivery rates many thousands of messages will still reach their targets. However, they also increase the risk that security vendors and researchers will observe and analyze their new techniques and payloads. Despite incorporating increasingly sophisticated filtering techniques designed to hide their campaigns, exploit kit actors too found that scale can carry as many risks as rewards.
We predict that in 2017, small will be the new big, as sophisticated threat attackers return to smaller, more targeted campaigns to deliver their malware payloads. High volume email campaigns will continue but will be reserved for ‘commodity’ payloads such as zipped executables (including JavaScript) delivering off-the-shelf ransomware variants, while smaller, more targeted campaigns will increase both in number and sophistication. Exploit kits will continue their recent trend of operating at smaller scale and shifting geo-targeting to focus on regions where their activities are less likely to be monitored by researchers and vendors.
Malicious macros finally run out of gas
Last year, we predicted that the high-volume malicious macro campaigns of 2015 would fade away by the middle of 2016. This prediction came true in the broad sense: by the time of the massive campaigns that followed the Necurs botnet outage in June, JavaScript and other zipped executable attachment campaigns distributing Locky (backed by Dridex actors) had largely replaced document attachments containing malicious macros. However, malicious macros remained widely used in smaller, more focused campaigns distributing banking Trojans such as Dridex, Ursnif, Vawtrak, and -- in the latter part of 2016 -- a wide variety of other payloads, from keyloggers and RATs to downloaders and information stealers. Continuous innovations in malware sandbox evasion breathed new life into these macro attacks but we expect that by April of 2017 even those measures will no longer be sufficient to drive effectiveness rates that generate ROI on these campaigns. Zipped JavaScript (js, wsf, hta, vbs) attacks will continue but will occupy the same low-value range as zipped executables. At the same time, cyber criminals will continue to improve and expand automation of spear-phishing campaigns in larger-scale ‘personalized’ campaigns, adding more identifying, personal details to increase the credibility of their messages. Exploit-driven document attacks are unlikely to regain prominence (see next section); instead, attackers will focus even more intensely on social engineering as a central part of the infection chain, by getting users to click on embedded executables within documents, tricking users into installing malicious payloads disguised as legitimate applications that are delivered as attachments, as links to legitimate hosting and file-sharing services, or disguised as familiar parts of the Windows user experience.
Exploit kits will give way to ‘human kits’
As their name implies, exploit kits are powered by the availability of reliably effective exploits that can be targeted at the computers of potential victims. From this perspective, the steady decrease over the last several years in both the total number of disclosed vulnerabilities and, more importantly, published exploits to target them represents a risk to the business model of this piece of the cyber criminal’s toolkit. With new exploitable vulnerabilities in increasingly short supply, organizations and users patching more consistently, improved security of browsers and operating systems, and the need for attackers to chain multiple exploits together, the collapse of the exploit kit landscape over the course of 2016 can be seen at least in part as a recognition by threat actors of the new reality of exploit-based attacks: exploits have a shorter effective life and are decreasingly reliable as a vehicle for distributing malware. We already saw a similar awakening in 2015 in the email landscape, when social engineering-based attacks in the form of document attachments with malicious macros largely replaced PDF and Office document exploit-driven attacks.
In 2017, we expect that exploit kits will undergo a similar evolution by adopting an increasingly social engineering focus: sophisticated groups, including those using EKs and malvertising, will continue to reduce their focus on exploits and put more effort into fooling the human. Exploit kits will become ‘human kits,’ with an extensive toolset of techniques designed to trick users into infecting their own machine with a malicious payload, with users lured in via malvertising or clickbait or through convincingly individualized emails, such as those observed in the “personalized” email campaigns that we have seen over the course of 2016. At the same time, exploit kits will not disappear; instead, they will become more focused, targeting clients in regions that have traditionally been slower to patch and where monitoring by researchers is less intense. New EK actors will still enter the market with features that enable them to extract the most value out of the available vulnerabilities, whether disclosed or zero-days.
BEC will continue to evolve and the big losses will continue
Since mid-2015, business email compromise (BEC) has been a major threat to organizations, resulting in over $3 billion in losses according to recent estimates. Overall BEC losses will increase even as individual incidents of massive BEC losses decrease due to improved business processes and financial controls in larger organizations. In Enterprises, business process changes will all but eliminate the eye-popping individual losses of 2015 and 2016 by erecting more controls on the funds transfer process. Unfortunately, these changes will not be universal, and outside the major business environments of North America and Europe it will remain possible for individuals to carry out these transfers. In regions where improved controls are put in place, small and midsize businesses will remain susceptible to these attacks and will see their share of the overall losses increase. Moreover, we will continue to see some seasonal variants on BEC attacks similar to the “W2 request” campaigns that marked early 2016, but these will remain relatively infrequent.
Angler Phishing will be fully automated
In the past year, Angler Phishing has grown both in the breadth of targets and in the depth of social engineering techniques it employs. Yet these attacks have not reached the levels of automation commonly seen in exploit and phishing toolkits: in 2016, you can still see copy-paste errors, grammatical and spelling mistakes, incorrect brands in messages, and other common mistakes that are the trademark of humans doing manual work. In 2017 we predict that attackers will implement automation and some light level of natural language processing (NLP) to improve on their attack techniques. With the increased automation we should see attackers scaling up their targets to more brands and scaling up the number of victims they can message in each campaign. Attackers have already shown an ability to be aware of product launches so that they can launch their campaigns at a time when a lot of communication is expected on social support channels; we expect this to increase in 2017 because of more scalable resources.
The pace of attacks via social media will continue to increase - and explore new frontiers
The hyper growth of social media paved the way for similarly rapid growth in the attacks seen on social media platforms, coupled with a concurrent evolution in attacks that use social media as a vector. Because attacks on social media offer a significantly higher rate of ROI, we expect that the rate of growth of attacks will increase in 2017. Specifically, we expect that 2017 will see:
- Social scams and phishing grow by more than 100% year over year
- Social media spam grow more than 500% year over year
- Significant increases in fraud and counterfeiting using fake social accounts
- Significant increases in integrated fraud techniques using social media accounts, fake mobile apps, fraudulent websites, and imposter emails
One social media platform that will be particularly in the crosshairs in 2017 is Snapchat. Snapchat has become one of the hottest social networking and communication platforms, yet thus far attackers have not carried out major attacks with any consistency on this platform. We predict that in 2017, either a number of major campaigns will be launched with great success, or a major security vulnerability in the platform itself will be revealed, with proof-of-concept (POC) code made available.
In addition, social payment platforms are also highly likely to come under more sustained attacks in 2017. As the current social media platforms become increasingly advanced, many of them (such as Facebook, Wechat, Line, and others) have launched payment services. These services are increasing their transaction volume as their platforms’ ecosystems becomes more feature-rich. In 2017, this ecosystem boost and transaction volume will get the attention of hackers, and the payment platforms are ripe for targeted attacks both from vulnerability and social engineering perspectives.
Mobile threats: The genie is out of the bottle
2016 represented a watershed year in the mobile threat landscape as the risk from malicious clones of popular apps, increased use of sideloading to distribute unauthorized apps, and the availability of targeted attack tools for mobile devices combined to remove any lingering doubts that mobile devices -- and the humans who use them -- are as vulnerable to attack as PCs, and perhaps more so because these risks still remain less understood. In 2017, zero-day attacks such as the Pegasus mobile device attack kit and associated “Trident” vulnerabilities will no longer be confined to state-sponsored actors targeting dissidents, but will come to affect companies and individuals. Leveraging these and other tools, cybercriminals will increasingly use the SMS and iMessage systems to deliver malicious URLs and even zero-day attacks. These will be both broad-based, such as phishing for bank account passwords and debit cards; and targeted, including attacks on employees and executives. At the same time, the category of malicious and risky apps will expand to include fraudulent apps, where users are socially engineered into installing apps that are not from the company from which they purport to be. These apps may be designed to infect mobile devices, or to simply make money by using a legitimate company’s brand to trick users into fraudulent credit card purchases or to click on fraudulent ads.
State-sponsored attacks will increase and expand beyond hacking and data breaches
The new US Presidential administration brings many unknowns to the realm of US policy in areas ranging from trade to defense. Upcoming elections in France and other European countries also have the potential to bring a similar level of uncertainty. As a result, in 2017 we expect a resurgence of state-sponsored cyber attacks, and, in particular, sophisticated, stealthy intrusions (aka APTs) targeting all branches of the US government from a wide range of countries, including renewed action by relatively quiet Chinese state-sponsored actors. As the campaign reported on November 9 demonstrated, email will remain the primary vector for targeting individuals and organizations who might have access to data that will help foreign states understand and anticipate the policies and plans of the new US and European administrations in diplomatic and trade negotiations. Moreover, the nature of state-sponsored cyber attacks will expand significantly beyond theft of secrets and industrial espionage. With the effectiveness of doxing, data theft, embarrassing disclosures, and disinformation already demonstrated in multiple countries, more governments will attempt to use cyber attacks to steal information and leverage social media and news outlets to create discord and disruption in states that have the potential to interfere with the advancement of their interests. In the social media realm, state-sponsored trolls have been used to target dissenters and critics, a practice already well-documented in Central and Eastern Europe, and evidence of it in the United States emerged during the months leading up to the US election. 2017 will see it employed more widely and more aggressively by a variety of state actors in order to influence public discussions and policy.