2012 Predictions: Websense Security Labsby Steve Ragan - Dec 6 2011, 12:45
Today’s predictions, continuing the 2012 prediction series, comes from Websense Security Labs. This year, they predict a mix of threats, including turning smartphones into ATMs, and a boom in BlackHat SEO attacks, thanks to several upcoming events.
“2011 proved that in the world of enterprise security, anything and everything goes. This year, as broader adoption of mobile, social and cloud technologies explodes, we will see the bad guys move rapidly to take advantage of this shift,” commented Dan Hubbard, Websense’s CTO.
“Almost all of the major attacks of 2011 employed a web component, whether as a vector, command-and-control center, or the pipeline for stolen data and critical IP. Web attacks are going beyond the browser and as the number of API web requests gains momentum we will see attackers using the APIs for their own malicious exploitation.
“The most advanced criminals are going to ride the waves of personal devices, personal social media use, and personal web activities of employees to create more advanced, social engineering attacks to get in. Many of the business and government attacks in the coming year won't necessarily be about how complex the code is, but how well they can convincingly lure unsuspecting victims to click.”
- Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.
Spammers have been buying parcels of email credentials for a couple years now. We’ve seen carder sites where criminals can buy and sell your credit card information for pennies on the dollar. Want a South African issued card with a $25,000 limit with the user’s PIN? How about one from the U.S. issued by a bank in the Northeast along with the user’s social security number? Old news.
Today, your social identity may have greater value to the bad guys. Facebook has more than 800 million active users, and over half of them log on daily and they have an average of 130 friends. Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends.
- The primary blended attack method used in the most advanced attacks will be to go through your social media 'friends,' mobile devices and through the cloud.
Blended attacks used to be predominately about the use of email and web together. Many of the recent so-called advanced persistent threats (APTs) were simply email phishing scams. In 2012, advanced attacks are going to increasingly use at least two, and sometimes all, of the following emerging technologies: social media, cloud platforms, and mobile.
We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector in the most persistent and advanced attacks of 2012.
- 1,000+ different mobile device attacks coming to a smartphone or tablet near you.
People have been predicting this for years, but in 2011 it actually started to happen. Expect more increases in exposed vulnerabilities from black hats and white hats in the coming year for mobile devices. In 2012, we estimate that you’ll see more than 1,000 different variants of exploits, malicious applications, and botnets infecting that device glued to your hand and plugged into your head. We’ll at least see a new variant every, day.
Indeed, if application creators don’t protectively sandbox their apps, we’re also likely to see versions of malware that access your banking and social credentials as well as other sensitive data on your phone. This includes your work documents and any cloud applications you may have on that handy device.
We’ll also start seeing significantly more social engineering designed to specifically lure mobile users to infected apps and websites. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyper-specific geolocation social engineering attempts.
- SSL/TLS will put net traffic into a corporate IT blind spot.
Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First, the disruptive growth of mobile and tablet devices are moving packaged software to the cloud and distributing data to new locations. Second, many of the largest, most commonly used websites, like Google search, Facebook, and Twitter have switched their sites to default to https sessions. You’d think this would just be a positive, since it encrypts the communications between the computer and destination.
But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses (like firewalls, IDS/IDP, network AV, and passive monitoring) are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic. These blind spots provide a big doorway for cybercriminals to walk through.
- Containment is the new prevention.
For years, security defenses have focused on keeping cybercrime and malware out. There’s been much less attention on watching outbound traffic for data theft and evasive command and control communications. But multiple studies show that the majority of data theft is related to hacking and malware.
Websense Security Labs research estimates that more than 50 percent of data loss incidents happen over the web. DLP deployments have been delayed because of traditional long-winded, overwrought, and extensive data discovery projects. In 2012, organizations will look to stop data theft at corporate gateways that detect custom encryption, geolocations for web destinations, and command and control communications.
Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.
- The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals.
SEO poisoning has become an everyday occurrence. You name the trend—it’s going to be poisoned. Websense Security Labs still sees highly popular search terms deliver a quarter of the first page of results as poisoned. As the bigger search engines have become more savvy on removing poisoned results, criminals in 2012 will use the same techniques ported to new platforms.
They will continue to take advantage of today’s 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations. We recommend extreme caution with searches, wall posts, forum discussions, and tweets dealing with the topics listed above, as well as any celebrity death or other surprising news from the U.S. presidential campaign.
- Social engineering and rogue anti-virus will continue to reign.
Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. When you combine how easy it is to acquire a malicious tool kit with the prevalence of the tools, which are designed to cause massive exploitation and compromise of websites, the result is resurgence in this type of crimeware.
Except, instead of seeing “You have been infected” pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems. Also expect that the use of polymorphic code and IP lookup will continue to be built into each of these tactics to bypass blacklisting and hashing detection by security vendors.