The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition.
Darknets will be the perfect storm for cybercriminals, as they continue to trade and share tools and tactics in the uncharted shadows of the Internet. The current reality wherein cybercriminals anonymously syndicate malicious activities by employing censorship-resistant services like Tor and other darknet services will continue to be a growing problem in 2015.
While cybercriminal arrests and operation disruptions related to SpyEye and GameOver occurred this year, law enforcers and crooks will continue to play a cat-and-mouse game, as the latter arguably continue to become even nimbler and more elusive. Shifts in the underground market's supply and demand will push cybercriminals to put on even darker cloaks in an attempt to make anonymity a deal breaker when it comes to crimeware trade. As one market shuts down, another will pop up. Cybercriminals will encourage users and peers alike to go to the deep recesses of the Web to take part in highly coveted illegal activities like viewing leaked celebrity photos or engaging in unlawful commerce, as in the case of the recent iCloud® hack.
Trend Micro will continue to provide relevant threat intelligence, research findings, and solutions to law enforcement partners and users alike to further cybersecurity. We will strive to keep tabs on Deep Web activities to even the fight against cybercriminals, including those who operate well under the radar.
No one is safe from getting hacked. Along with the rapidly growing Web population and widespread smart device use, cybercrime will continue to coexist with technology, people, and the Internet as a whole. Users who habitually connect with others, whether through social media or other platforms, will feed on and share more data. That said, we will see more data breaches in 2015. Though the urgency to steal from individuals via smash-and-grab jobs is slowly waning, attackers increasingly pursued big-name organizations like eBay, P.F. Chang’s, Target, and Home Depot for way bigger returns.
As we draw closer to 2015, we will see users learn more about today’s online threats and upgrade their security software and practice safe computing habits. They will employ better password management, delink accounts from one another, and even create separate online identities for personal and professional use. Some may even go as far as decrease their online presence, as the uphill battle with attackers continues to ensue.
The ever-growing popularity of smartphones and mobile devices is a double-edged sword. It will perpetually connect people, things, and data to one another and push cybercriminals to continue exposing and exploiting security weaknesses and poorly kept personal data.
And because mobile device users are more inclined to conduct financial transactions via various e-payment modes, they will become prime fraud targets. Finding and exploiting Android™ device and platform bugs like FakeID and the master key vulnerability are but signs of bigger problems ahead.
An exploit kit similar to blackhole exploit kit that specifically targets mobile device users will emerge to take advantage of fragmentation and similar problems. Installing malicious apps and visiting malicious sites will no longer be the sole mobile device infection vectors. “Automated” vulnerability exploitation through cross-platform interaction will also come into play. Plugging infected mobile devices into computers will also lead to bigger problems. Users should thus keep their devices and apps updated. Downloading apps and patches only from trusted and legitimate sources will also help.
Targeted attack campaigns will continue to burgeon in 2015. They will no longer just originate from and set their sights on countries like the United States. Attackers will also emanate from other countries, since we’ve seen attacks from India, Vietnam, and the United Kingdom, among others. Following the success of high-profile targeted attacks, even cybercriminals will regard proven tactics and tools as more practical means to get their hands on what they want.
From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails. They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.
Based on previous attacks, targeting financial institutions and point-of-sale (PoS) systems will remain a fertile field for attackers in the future. The need for better security analytics will become more imperative, along with innovative solutions hinged on an operational security model that is responsive to real-time threats and current risks.
We expect to see a massive transformation in payment systems as Apple Pay™ gains critical mass among iPhone® users in the next 18 months. While this new payment system is still in the incubation period, cybercriminals will continue to try exploiting near field communication (NFC) to take advantage of Apple’s notable penchant for adopting the technology.
As the mobile payment ecosystem evolves, so will cybercriminal tools and tactics so they can gain access to sensitive data without arousing suspicion. Because NFC essentially operates with the premise that users will be able to pay with their mobile devices, attackers will waste no time in developing NFC-enabled mobile apps feigning legitimacy. Google Wallet™ users learned this when a malicious app that happened to be granted NFC privileges was found capable of stealing their account information and money. Recently launched m-commerce schemes like that of WeChat, if they become mainstream, can also become prime cybercrime targets.
As NFC is poised to become more relevant than ever, users should realize that attackers can and will find ways to intercept NFC tags in transit. Mobile device manufacturers should thus take action and keep security in mind from the moment they design products and decide what features they’ll come equipped with. Technologies, when properly configured and used, do offer innumerable benefits. Unfortunately, developing them without security in mind could lead to grave consequences.
2014 was remarkably tainted with the discovery of bugs as big as Heartbleed and Shellshock. Even worse, cybercriminals are nowhere near done exposing and exploiting bugs in open source infrastructure and software like Open Secure Sockets Layer (SSL) and Bash. That said, we will see more open source bug exploitations in 2015. Heartbleed and Shellshock opened a can of worms. Attackers will start deconstructing technologies that was once considered secure.
As industry giants like Microsoft increase their focus on security, we will see a decline in exploit attacks against big-name products and services. We expect attackers to shift their attention to exploiting bugs in open source software, which may suffer from faulty component auditing. They may not, after all, undergo security reviews as rigorous as commercial products go through.
From 2015 onward, users will start to realize that virtually all devices and apps, including smart devices and appliances, that access the Web can be hacked. Patching software and upgrading devices are of utmost importance. Organizations, meanwhile, should routinely check their networks for signs of attack and immediately test and deploy available patches. It is also wise to invest in more intelligence-based security solutions that provide real-time protection backed by global threat information sources.
While we expect to see an upward surge in smart device use, securing the IoE/IoT space will entail a broader approach to keep endpoints and networks protected against potential threats. Though we will not see widespread IoE/IoT attacks in 2015, we will see whitehack attempts to spot weaknesses in already-available smart devices like smart refrigerators and cameras as well as wearables. As cybercriminals gain a better understanding of the IoE/IoT realm, however, we will see them slowly target smart devices in an attempt to blackmail or extort money from victims.
As we increasingly smartify our homes, we should also pay attention to cloud security. Attackers are, after all, bound to employ better tactics to hack the data that we increasingly store in the cloud. Remember that failing to secure the data kept in the cloud can translate to giving virtually anyone, even bad guys, access to it. Though security practitioners will be compelled to better respond to breaches to regain public trust, at the end of the day, you are responsible for your own data.
Weak security practices even in developed countries like the United States such as not enforcing the use of two-factor authentication and adoption of chip-and-pin technology will contribute to the rise in online banking and other financially motivated threats.
We’ve seen the online banking malware volume steadily rise throughout the first half of 2014. Apart from data-stealing ZeuS malware, VAWTRAK also affected a multitude of online banking customers specifically in Japan, contributing to the overall volume growth in the second quarter of the year. Complex operations like Emmental, which proved that even the two-factor authentication measures that banks employed could be flawed, also figured in the threat landscape.
In the next few years, cybercriminals will no longer just launch financially motivated threats against computer users, they will increasingly go after mobile device users as well. They are likely to use fake apps and Domain Name System (DNS) changers and launch mobile phishing attacks similar to those we’ve already seen in the past. They won’t stop at just gaining access to victims’ online banking accounts, they will even go so far as stealing their identities. And to come up with even stealthier mobile threats, we will see the emergence of packers akin to those used on computer malware.
The success of targeted attacks in obtaining user data will also inspire cybercriminals to better employ reconnaissance to make more money from their malicious schemes. Cybercrooks will use proven targeted attack methodologies for short- selling and front-running schemes.The growing risks online banking threats pose should motivate individuals and organizations alike to use the two-factor authentication measures and hardware or session tokens that banks and other financial institutions provide. Payment card providers in the United States and other countries, meanwhile, should put data security at the forefront by making the use of chip-and-PIN cards and PoS terminals mandatory, especially amid the breaches hitting big-name companies left and right.