One of Tuesday's RSA sessions discussed cyber-crime trends for 2016. Sophos' Global Head of Security Research James Lyne investigated the level of sophistication among current cyber-criminals and discovered the following:
Some of them have a high degree of "professionalism"
On a site he found selling credit cards and other personal identity information on the Dark Web, the details were sold in a format similar to online stock markets. In addition, price went down as more criminals purchased the information (which presumably makes it less valuable), and the information "expiring" after enough time or purchases. Delivery was accomplished securely using HTTPS and PGP encryption (if only we could get legitimate businesses to do this). The site even had a reporting mechanism for bad sellers, and ratings and pricing estimations for the commodities being sold.
User expectations are not realistic
While the popular idea of spam is that it is hilariously inept, modern spam is more targeted to pique the recipient's interest and is better constructed. It thus has a higher degree of success. The use of exploits has shifted toward more sophisticated social engineering, and will likely continue to do so. Users have been trained to ignore warnings as false positives, and have problems unlearning outdated best-practices.
Document-based malware is becoming more popular
Often these documents will purport to be information about a tax return, invoice, or resume. If the malware requires a macro to be run, the document will provide helpful, version-based instructions on how to enable macros (and to ignore the warnings, no, really, it's okay). The attackers also use logos of security companies and even RSA itself to give the impression that the document can be trusted.
Crime gangs without a high level of technical expertise are purchasing repackaged malware payloads and exploits
Exploits from 2012 and 2014 are still in circulation and being used because while people may patch their browsers and Java, many don't patch their versions of Office. The highly effective techniques and malware of more knowledgeable criminals are now available to gangs or individuals without specialized knowledge.
App malware and piracy can be very effective
An app called Happy Day English in the Apple Store will, if run from a geoID that indicates China, allow a wrapped app store to run inside the app that spoofs being a developer, giving the user access to free apps and apps not available in the Apple Store. It remained up for months because there is a high level of trust associated with new technologies.
He investigated 1002 apps, of those, 307 failed to use Transport Layer Security (TLS), a simple and effective protocol that ensures private communication. In these apps he found plain text Twitter API keys, unsalted MD5 hashes (which are insecure), and other unencrypted personal information.
He concluded that we are entering into a period of innovation among cyber criminals, in a time when we are still falling victim to basic attacks, and companies are not using basic defense techniques.