10 Warning Signs Cyberattacks Will Escalate

Organized Cybercriminals Recover Often To Setbacks

Financially motivated cybercriminals who steal account credentials and credit card data haven't had to spend a lot of time investing in sophisticated attack techniques and advanced malware. Instead, they have invested in stronger evasion tactics to avoid detection and increasingly powerful back-end systems that support attack campaigns. The goal is to quickly sort through large volumes of data and get it sold on underground forums for the highest price before authorities are alerted to a breach.

Attacks will continue to escalate, said Brett Stone-Gross, a security researcher in Dell SecureWorks' Counter Threat Unit. The noted threat researcher, who assisted law enforcement in bringing down the GameOver Zeus botnet in June, told CRN that despite recent law-enforcement victories against specific cybercriminal groups, the threat landscape continues to evolve with new and increasingly sophisticated methods. Here are 10 reasons why cybercrime will continue to escalate.

10. Social Engineering Human Fallibility

Russian authorities reportedly arrested the suspected creator of the Black Hole Exploit kit last year, causing the notorious attack toolkit to fade away. Black Hole was the most popular toolkit sold as a subscription service and regularly updated with exploits to new vulnerabilities. However, criminals now can choose from an assortment of new exploit kit services that have taken the place of Black Hole. But Stone-Gross said spammers and other cybercriminals are moving away from exploit kits in favor of phishing messages containing malicious email attachments, a tried-and-true attack technique.

"At the end of the day, the weakest link is the actual user," Stone-Gross said. "People still fall prey to social engineering attacks more than anything else."

9. Ad Exchanges, Click Fraud

Cybercriminals are increasingly penetrating the targeted traffic produced in complex ad exchanges that feed ad networks. It supports click fraud operations and can spread malware through legitimate ad networks on popular websites.

Click fraud has become a big business for some criminal groups that have developed techniques to fall underneath the threshold of antifraud detection, Stone-Gross said. Look for click fraud to continue until ad exchanges are forced to strengthen detection measures. Criminals will respond with more sophisticated techniques, he said.

8. Two-Factor Authentication Bypass

Zitmo, a mobile variant of the notorious Zeus Trojan, highlights the transition from strictly PC-based attacks and tactics designed to target mobile users. Banks use two-factor authentication, sending a secret code via an SMS text message to the user as an extra validation measure to authorize a transaction. It makes it a little more difficult for criminals to pull off account hijacking.

But criminals now use social engineering tactics to walk victims through steps to install a new certificate. The malware is installed manually and intercepts SMS messages and sends them back to the criminals. It defeats two-factor authentication, Stone-Gross said.

7. Apple Model More Secure

Apple's closed ecosystem model makes it difficult to get malware on an iPhone because all the software is signed, verifying its authenticity, Stone-Gross said. Only jail-broken iOS devices can run unsigned code.

By default, Android devices don't run unsigned code. The Android model allows any software to run on the phone, but the user has to enable running code from third-party sources. Malware authors use clever social engineering tactics to get users to enable the function manually, Stone-Gross said.

Look for modern malware that stealthily enables the function on Android devices. Stone-Gross and other experts agree that mobile malware will grow more sophisticated over time.

6. More Sophisticated Malware Downloaders

Trojan downloaders, tiny programs that are the first to execute on a victim's PC and establish communication with a remote server where additional malware is obtained, are becoming increasingly sophisticated, according to Stone-Gross.

Early signs of sophistication pointed to a time-delay mechanism before the downloader executed, but the latest downloaders can determine what antivirus program is present and whether a sandbox or virtual machine is running. For example, a malware downloader can be programmed to never execute if it detects signs that it would be detected by security software or analyzed by malware researchers. Look for evasion techniques to improve and evolve as new technologies come to market.

5. Lurk Malware Highlights Rising Sophistication

Lurk, a targeted malware downloader, uses steganography, a technique of hiding messages within images that until now has been a common intelligence community tactic.

Stone-Gross said the new wave of targeted attacks embeds an encrypted URL into images by manipulating individual pixels, making it difficult to detect. The campaign infected more than 350,000 computers and earned cybercriminals more than $250,000 in a short period of time. The use of advanced techniques developed for nation-state cyberespionage to hide malicious code is common, but increased attention on advanced threats could accelerate the adoption of targeted attack techniques for broader attack campaigns.

4. CryptoLocker Copycats Emerge

CryptoLocker, the notorious ransomware that encrypted files and network shares and extorted an unlock fee from victims, emerged at the end of 2013. It relied on the GameOver Zeus botnet at its core to spread infections.

Analysis of the threat uncovered the domain-generation algorithm behind CryptoLocker, which generated about 1,000 domains a day. Once researchers could predict future domains, the ransomware was effectively cut off from its operators, Stone-Gross said. But copycats are emerging. CryptoWall recently has surfaced, demanding Bitcoin payment after locking up a victim's files. Look for more modern ransomware to include additional code and algorithm protections to foil malware analysis, and lengthen attack campaigns.

3. New GameOver Zeus Emerges

A new variant of GameOver Zeus has emerged without the peer-to-peer communications mechanism that made the original botnet resilient to takedowns. It also lacks the complex business affiliate network tied to the original botnet.

Stone-Gross speculates that only a single group is at the controls of the latest variant and may be using it to detect security and law-enforcement monitoring mechanisms. A peer-to-peer communication layer could be added in the future, he said. Look for criminal organizations to conduct more thorough testing of malware, infrastructure and communication mechanisms to bolster resiliency, Stone-Gross said.

2. Criminal Business Arrangements Grow Increasingly Complex

Stone-Gross and other security researchers studying cybercriminal organizations point to increasingly complex business arrangements, including myriad affiliate networks and intermediaries to oversee botnet rental agreements and handle payments.

Meanwhile, law enforcement is busy untangling a complex money-laundering operation that spans dozens of countries with bosses in Saint Petersburg, Russia, at its core. Look for criminal business operations to become even more difficult to probe as political instability and economic sanctions potentially create an even deeper money-laundering entanglement.

1. GameOver Zeus Botnet Copycats

The criminals behind the GameOver Zeus botnet created a complex peer-to-peer network of infected computers under their control and managed a business operation that rented out portions of the botnet for custom attack campaigns, Stone-Gross said. The botnet had multiple layers and built-in countermeasures, and provided a treasure trove of information about new malware families and attack techniques to researchers monitoring it, making it difficult to disrupt, he said.

Increased banking ACH and wire-fraud transactions tied to Gameover Zeus gained attention from law enforcement. Look for other criminal groups to copy GameOver Zeus and create new botnets with modern mechanisms to defeat law enforcement and security researchers, he said.