The Biggest Cybercrime Threats of 2019

A New Year means a fresh start, but it doesn’t mean that old threats
will go away. In fact, in the world of cybersecurity things could get far worse before they get better. Cybercrime continues to increase, as it
allows nefarious actors to operate at a safe distance from victims — and
more importantly, law enforcement.

Because it rarely is violent in nature, cybercrime often doesn’t get the same response from international law enforcement as other types of crimes. It is far from victimless, however. It is a threat of enormous magnitude, with the potential to affect nearly every company in the world. It even ranks as one of the biggest problems plaguing mankind.

On a global basis, cybercrime will cost US$6 trillion
annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures.

This is the largest amount of money generated by illicit means, and it could represent
the greatest transfer of economic wealth in history. Cybercrime soon will be more profitable than the global trade of all major illegal drugs combined!

Cybercrime is not one thing. It is many — and fighting it requires understanding the various shapes it comes in. Following is a look at the various types of cybercrime, and things that can be done to fight it.

Phishers Continue to Cast Their Lines

One of the original cybersecurity threats hardly has evolved, but it is
unlikely to go away anytime soon.

“Phishing will always continue as long as it works,” warned Satya
Gupta, CTO of Virsec, a developer of data security software.

In 2019 we can “expect it to become
more targeted and specific to organizations,” he told the E-Commerce Times.

“Phishing is here to stay because it’s simple, it’s cheap, and it will
work as long as people continue to read their emails,” noted Matan
Or-El, CEO of Panorays, a provider of third-party security management.

“Users should be on guard against downloading applications from
untrusted sources,” warned Will LaSala, director of security
solutions at OneSpan.

“Phishing remains an easy mechanism to harvest logins and email
addresses and potentially passwords, and users should continue to
adopt multifactor authentication for all their accounts to help
protect against phishing attacks,” he told the E-Commerce Times.

This is among the biggest cybersecurity threats, but it also could be one of the
easiest to stop, as it relies on human error to work. It is typically
just social engineering, rather than complex coding.

“Companies should train their employees on the risks of phishing
attacks and how to avoid them,” said Mike Bittner, digital security
and operations manager for The Media Trust, a firm that provides real-time security for digital properties.

“This type of training should be part of creating a culture that makes
cybersecurity a strategic imperative across the organization,” he told the E-Commerce Times.

Ransomware on the Rise

Tied closely to phishing scams is the growing threat of ransomware,
which can lock a user, or even an organization, out of a computer or
network. Even more concerning, it may not be just computer systems or networks that are at risk.

“Ransomware isn’t going away; in fact, we will probably see even more
of it targeting consumers in 2019,” said Hank Thomas, CEO of Strategic Cyber Ventures.

“This will be ransomware at scale, targeting a wider swath of
middle class Americans that are equally eager to make the problem go
away with a quick payment as corporate America was,” he told
the E-Commerce Times.

Corporate targets likely will remain in the crosshairs of those
who find this an effective illicit business strategy, and due
diligence may not be enough to stop all the threats.

“Healthcare remains, by far, the No. 1 target for ransomware, with
more than half of all attacks targeting healthcare directly,” warned
Pravin Kothari, CEO of cloud security software company CipherCloud.

“Ransomware will also continue as long as there are underprotected
systems with data that hasn’t been adequately backed up,” said Virsec’s Gupta.

“However,ransomware threats are increasingly being used as red
herrings to distract from other types of attacks on critical
infrastructure,” he added.

The greatest danger of ransomware, once again, isn’t that it will block user access to data, but that it could make the leap to any connected device — from automobiles to smart homes. The Internet of Things has opened a brave new world for hackers to lock users out of!

“Businesses need to begin to secure their IoT mobile and Web
applications with the same controls that are being deployed for other
markets, like multifactor user authentication, and application
shielding and secure user onboarding,” said OneSpan’s LaSala.

So far that hasn’t happened, and many users may not expect that their
cars, thermostats and doorbells need the same level of security as
their PCs.

“People have already been affected by IoT and automobile exploits, but
so far there isn’t big money to be had from it, so the scale of this
activity remains small,” noted Jim Purtilo, associate professor in
the computer science department at the University of Maryland.

“We’ll see just how weak are IoT protections, just as soon as it is in
the interests of an aggressor to trigger chaos,” he told the E-Commerce Times.

Here is where healthcare could face a one-two punch.

“In the case of healthcare, many medical devices are also IoT devices,”
CipherCloud’s Kothari told the E-Commerce Times.

“They have closed operating systems, proprietary code, and wireless
connectivity,” he added. “These devices are essential to healthcare
operation and are likely to be targeted as the cyberwar on hospitals
escalates.”

Protecting the Cloud

The movement of more and more data off site to cloud-based
services could direct cybercriminals to the cloud as well.
Because their data is off site, many businesses wrongly may assume that it is secure, but that faith may be unwarranted. Choosing a cloud provider should come
down to the level of security it provides, and its track record in keeping data secure.

“The cloud is really more like a swamp of data, and it’s not this
idealistic place of security rainbows and data unicorns,” warned
Strategic Cyber Ventures’ Thomas.

“Nobody really wants to trudge through it, but you know it’s where the
best treasure probably is,” he added. “So it just might be worth it to
spend a lot more time there, since the security is often really just a
bunch of annoying mud, mosquitoes and thorns that are more of a
nuisance than real security.”

The question now is whether enough really is being done to keep data secure. The cloud holds treasures comparable to those of Fort Knox, but in many
cases it lacks the same level of security.

“Effective cloud security requires strong protection at the
application layer, particularly with externally facing Web, mobile and API application assets,” suggested Franklyn Jones, CMO at Cequence Security, a venture-backed cybersecurity software company.

“These are prime targets for the growing number of automated bot attacks,” he told the E-Commerce Times.

“These attacks are nearly impossible to detect with traditional
security tools because they involve the use of legitimate user names
and passwords, not malware or APTs,” Jones added. “Therefore, cloud
security architectures need to include tools that can detect the
underlying behavior and intent of application transactions, which is
essential to stop malicious automated bots.”

The Rising Threat of Digital Ad Fraud

One of the lesser-known types of cybercrime is one few people know
much about, but one that affects more and more people each year. Digital ad fraud makes it difficult for online content publishers to generate revenue.

Advertisers lose an estimated $19 billion to fraudulent activities each year — equivalent to $51 million daily — according to a report from Juniper
Research published last year.

More worrisome is the forecast that ad fraud could reach $44 billion by 2022. The
bulk of fraudulent ads affect video, but all content providers online, including newspaper publishers, are potential victims of ad fraud.

This has reached a point where law enforcement is taking it seriously.

The Department of Justice last year announced a 13-count indictment
against eight men for various cybercrimes, including what the FBI identified as the biggest-ever ad fraud investigation. The group, which has been dubbed “3ve” (pronounced “eve”), included six Russian nationals and
two Kazakhstani citizens.

“In digital advertising, the most common scams take the form of
malicious or hijacked ads redirecting Internet users to phishing
pop-ups that enable bad actors to commit identity and credit card
theft,” said The Media Trust’s Bittner.

“In such attacks, bad actors pose as legitimate advertisers and use a
compromised site to propagate phishing scams,” he said. “All
organizations are vulnerable to these attacks, which can have multiple
phases as the first attack opens up the organization to later ones.”

The (Crypto) Currency of Cybercrime

It is now probably safe to say that 2018 didn’t exactly become the
year of cryptocurrency — at least to the degree many had suggested. However, it
was the year that cryptocurrency became a key tool in many ransomeware
schemes — including the threats that personal data would be released
online unless the hacker was paid.

That particular threat turned out to be bogus, but it highlighted the fact that bitcoin and other digital currencies could offer a less-traceable way
for criminals to be paid — at least in theory.

“Cryptocurrencies remain the exchange mechanism of choice for cybercriminals who need whatever direction they can get while fleecing victims,” suggested University of Maryland’s Purtilo.

However, bitcoin and its rival digital currencies aren’t the perfect
solution for cybercriminals — at least not yet.

“Rampant use of cryptocurrencies for illicit use is a glaring
misconception,” explained Strategic Cyber Ventures’ Thomas.

“Bitcoin, the most widely used and secure cryptocurrency, is
pseudonymous and easily traceable — making cash a much more logical
choice for many criminals,” he added. “Other more privacy-centric
cryptocurrencies do exist and can be used for these purposes. However,
privacy is never entirely rid of traceability, and attribution is often
inevitable.”

There are other reasons cybercriminals may shy away
from bitcoin and other cryptocurrencies.

“Many of these are faced with illiquid markets, making cashing out to
fiat currency incredibly difficult and costly,” said Thomas.

The bigger threat in cryptocurrency might not be in how it is used, but rather how it is created — as in “mined.” Bitcoin and other currencies are created by having computers solve complex mathematical equations, and this is dubbed “mining.”

Criminals often remotely control computers or computer networks
to take on some of the computer processing. This ties to other
nefarious threats, such as phishing or ad fraud, in which users are
directed to an illicit website that runs Javascript on a webpage that
then turns a user computer into a remote miner.

“Cryptojacking attacks played a very major role in cybersecurity last
year,” said The Media Trust’s Bittner.

“Cryptojacking has surpassed ransomware as a pervasive digital threat
in many countries. Although cryptocurrency has failed to reach the
critical mass many had earlier predicted, malicious actors will
continue to use cryptojacking for its stealth and relative ease,”
he warned.

“The fact that cryptojacking requires no interaction
with the unknowing victim makes attacks easier to deliver and possible
to repeat,” Bittner said. “Cybercriminals may draw from the well again and again.”

The Next Thing in Cybercrime

A pressing concern with cybercrime and cybersecurity is not what
criminals are involved with today, but what they might target tomorrow
and beyond.

“The scams I would worry about the most are the ones the good guys
haven’t dreamt up and prepared for yet,” said Thomas.

“The scenarios are essentially limitless, with the number of criminals
and intelligence services around the world constantly looking to gain
access to Western enterprises and users,” he added.

“Consumers — average-Joe Americans without much of any real security —
will remain most vulnerable, but aren’t the biggest target,” noted
Thomas. “Lucrative business and government targets will keep that
honor in 2019. Phishing will continue to be a popular and efficient
avenue of approach to gain entry to both consumer and business
targets.”

It appears that what works today, sadly, will continue to work for cybercriminals as 2019 unfolds.


Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.