WEB AND MOBILE FRAUD
GDPR fines could become weapon of choice for cyber extortion
As cyber criminals concentrate on targeted, strategic, money-making attacks, they are likely to use GDPR fines as leverage to extort money from organisations, a report warns.
The past 12 months have seen an increase in ransomware, cryptocurrency mining and business email compromise attacks, according to the latest security roundup report by security firm Trend Micro.
These attacks indicate that cyber criminals are refining and targeting their attacks for greater financial return, and it is therefore likely that in 2018 they use the threat of the European Union’s GDPR fines for extortion, the report said.
The report validates Trend Micro’s previous predictions for 2018, with cyber criminals increasingly abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks designed to improve their return on investment.
The switch to more strategic attacks is further underlined by the fact that although the number of reported breaches was lower than in 2016, the amount of data compromised by cyber attacks increased.
Based on this trend, the report said is likely that some will try to extort money from enterprises by first determining the penalty under the GDPR that could result from an attack, and then demanding a ransom of slightly less than that fine.
Security commentators believe many organisations may be willing to pay off extortionists not only to avoid GDPR-related fines, but also to avoid damage to their organisation’s reputation. The maximum GDPR fine of €20m or 4% of global turnover has given cyber criminals a clear guide to what organisations might be willing to pay to hush up a breach or get back control of stolen data.
“The 2017 roundup report reveals a threat landscape as volatile as anything we’ve seen, with cyber criminals increasingly finding they’re able to gain more – whether it’s money or data or reputation damage – by strategically targeting companies’ most valuable assets,” said Jon Clay, director of global threat communications for Trend Micro.
“It confirms our view that there is no silver bullet when it comes to the sheer range of cyber threats facing organisations. Businesses instead need a cross-generational security solution that uses a blend of proven security protections with the best new defenses to mitigate risk effectively.”
The report also reveals a 32 per cent increase in new ransomware families from 2016 to 2017; a doubling of business email compromise (BEC) attempts between the first and second half of 2017; and soaring rates of cryptocurrency mining malware, peaking at 100,000 detections in October.
According to the report, BEC attempts to trick company employees into approving money transfers to criminal accounts increased by 22 per cent from 2016, with the most targeted position being the chief financial officer (CFO).
Vulnerable internet of things (IoT) devices are also a major security risk across several trending threats, the report said. Trend Micro detected more than 45.6 million cryptocurrency mining events during the year, representing 49 per cent of all IoT events observed.
Software vulnerabilities also continued to be targeted, with 1,009 new flaws discovered and disclosed in 2017 through Trend Micro’s Zero Day Initiative (ZDI), which involves more than 3,500 independent white hat researchers.
The researchers noted an increase in vulnerabilities for Adobe, Google and Foxit products, but a decrease in those for Apple and Microsoft products in 2017, compared with the previous year.
“Regardless of the direction the numbers took, however, the fact remains that vulnerabilities are being continuously discovered and thus are permanent security risks that enterprises in particular should always be heedful to,” the report said.
With ZDI’s contributing researchers, Trend Micro found that the vulnerability count for supervisory control and data acquisition (Scada) systems typically used in industrial and critical infrastructure environments dropped to 144 in 2017 from 177 in 2016, a 19 per cent decrease.
However, there was a steep rise in zero-day vulnerabilities between 2016 and 2017 of 98 per cent, with all but six of these being Scada-related. Zero-day vulnerabilities related to Scada systems surged from 46 in 2016 to 113, a 146 per cent increase.
Security negligence still remains a big issue for all enterprises, the report said, with many using out-of-date software and failing to keep software security patches up to date.
In 2017, several big-name enterprises succumbed to different forms of cyber crime and huge amounts of money and information were lost in the process, but in many cases this was the result of “a destructive combination of security oversights, increasingly aggressive threats and, at times, complete carelessness”, the report said.
Unsurprisingly, the report said, customers are finding it harder to be forgiving of companies that demonstrate heedlessness when it comes to cyber security. “In the face of cyber threats, therefore, enterprises stand to lose their clients’ unquantifiable trust and patronage, on top of many billions of dollars and bytes of data,” the report warned.