By Yury Namestnikov, Head, Global Research and Analysis Team, Kaspersky
- Attacks against Libra and TON/Gram
The successful launch of crypto currencies such as Libra and Gram might lead to the worldwide spread of this type of asset, which naturally will attract the attention of criminals. Given the serious surge in cybercriminal activity during the rapid growth of Bit coin and altcoins in 2018, we predict that a similar situation will most likely unfold around Gram and Libra. Large players in this market should be especially careful, as there are a number of APT groups, such as Wild Neutron and Lazarus, whose interests include crypto assets. They are very likely to exploit these developments.
- Reselling bank access
During 2019, we witnessed cases where groups who specialize in targeted attacks on financial institutions appeared in the victims’ networks after intrusions by other groups that specialize in selling rdp/vnc access, such as FXMSP and TA505. These facts are also confirmed by underground forums and chat monitoring. In 2020, we expect an increase in the activity of groups specializing in the sale of network access in the African and Asian regions, as well as in Eastern Europe. Their prime targets are small banks, as well as financial organizations recently bought by big players who are rebuilding their cyber security system in accordance with the standards of their parent companies.
- Ransom ware attacks against banks
This forecast logically follows from the previous one. As mentioned above, small financial institutions often become the victims of opportunistic cybercriminals. If these criminals cannot resell access, or even if it becomes less likely that they will be able to withdraw money, then the most logical monetization of such access is ransom ware. Banks are among those organizations that are more likely to pay a ransom than accept the loss of data, so we expect the number of such targeted ransom ware attacks to continue to rise in 2020. Another ransom ware attack vector against small and medium financial institutions will be a ‘pay-per-install’ scheme. Traditional botnets will eventually turn into increasingly popular delivery mechanisms against financial institutions.
- 2020: the return of custom tooling
Measures taken by antivirus products to effectively detect open source tools used for pen testing purposes, and the adoption of the latest cyber defense technologies, will push cybercrime actors to return to custom tooling in 2020 and also invest in new Trojans and exploits.
- Global expansion of mobile banking Trojans: result of leaked source
Our research and monitoring of underground forums suggests that the source code of some popular mobile banking Trojans was leaked into the public domain. Given the popularity of such Trojans, we expect a repeat of the situation when the source code of Zeus and Spy Eye Trojans were leaked: the number of attempts to attack users will increase at times, and the geography of attacks will expand to almost every country in the world.
- Investment apps on the rise: new target for criminals
Mobile investment apps are becoming more popular among users around the globe. This trend won’t go unnoticed by cybercriminals in 2020. Given the popularity of some fintech companies and exchanges (for both real and virtual money), cybercriminals will realize that not all of them are prepared to deal with massive cyber attacks, as some apps still lack basic protection for customer accounts, and do not offer two-factor authentication or certificate pinning to protect app communication. Several governments are deregulating this area and new players are appearing every day, becoming popular very quickly. In fact, we have already seen attempts by cybercriminals to substitute the interfaces of these apps with their own malicious versions.
- Mage carting 3.0: even more attacker groups and cloud apps to become prime targets
Over the past couple of years, JS skimming has gained immense popularity among attackers. Unfortunately, cybercriminals now have a huge attack surface that consists of vulnerable e-commerce websites and extremely cheap JS skimmer tools available for sale on various forums, starting at £150 ($200). At the moment we are able to distinguish at least 10 different actors involved in these types of attacks and we believe that their number will continue to grow during the next year. The most dangerous attacks will be on companies that provide services such as e-commerce as a service, which will lead to the compromise of thousands of companies.
- Political instability leading to the spread of cybercrime in specific regions
Some countries are experiencing political and social upheaval, resulting in masses of people seeking refugee status in other countries. These waves of immigration include all sorts of people, including cybercriminals. This phenomenon will result in the spread of geographically localized attacks in countries that have not previously been affected by them.