The fast moving world of information security faces a new challenge as attackers are increasingly focusing on mobile users, embracing cryptoransomware in particular. This makes a change from the years before 2014 as mobile attacks increase exponentially alongside increasing smartphone usage.
Between 2012 and 2013 the number of malware affecting mobiles and the high-risk apps that act as their vehicle more than doubled to 1.4 million. During 2014, that number nearly trippled to 4.3 million, writes Maria Korolov for CSOnline.com. A further handful of malware affecting iOS was also reported – though numbers were low for iPhone users.
Along with the increase in sheer number – the amount of apps related to banking or finance grew from a dozen in 2013 to more than 2,000 – the tactics used by criminals are also changing. More and more attacks are being leveraged by the use of exploit kits, as well as shortened URLs and watering hole attacks.
A watering hole attack targets a normally trustworthy site that has regular visitors from employees of an organization. These types of phishing sites are increasing, in part due to the incredibly cheap domain registrations and ready-made templates.
The new avenues of attack offered by mobile usage are present in the figures. Traditional desktops and laptops saw a drop in ransomware infection, going from 84,000 in 2013 to 48,000 in 2014. However, the cryptoransomware infections increased from a mere 2,000 to over 15,000.
An increase in point of sale (POS) malware has also been reported. Attackers are turning to other business-types including hotels, restaurants and parking lots as payment systems increasingly go online. The number of POS RAM scraper families grew from three in 2013 to ten the following year as the malware becomes more technologically advanced and robust.
While – on a positive note – the number of zero-day vulnerabilities declined over the course of the year this does not mean organizations are any more secure. Hackers aren’t necessarily inventing new malware; what you’re seeing is more builder code being used, as well as pre-existing malware delivered through new vehicles.
Furthermore, the dramatic migration of traditional criminals to the online world’s darker underbelly is of concern. While no concrete numbers are available for this, the advances made by would-be hackers and attackers, mean that it is no longer necessary to be programmers or coders to ‘get into the game.’
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”