Sophos’ James Lyne warns that cybercriminals are becoming more effective, thanks to document-based malware and advanced social engineering techniques.
SAN FRANCISCO — Cybercrime trends point to an alarming increase in advanced social engineering techniques and customized, targeted document-based malware attacks in 2016, according to Sophos research.
James Lyne, head of global security research at Sophos and an instructor with the SANS Institute, spoke about these cybercrime trends during a presentation at RSA Conference 2016 Wednesday and offered several warnings to enterprises about specific emerging threats. Lyne said Sophos’ latest research shows tried and true attack methods and threats, such as drive-by downloads and phishing attacks, are as common as ever.
But Lyne also explained that cybercriminals today are moving to new, greener pastures and becoming much better at making money from stolen information. In fact, he said cybercriminals have built a mature underground economy on the dark Web that puts legitimate ecommerce efforts to shame. Specifically, Lyne offered the example of AlphaBay Market, a site on the dark Web that allows cybercriminals to buy, sell and trade data. He showed how the site would automatically remove credit card numbers for sale when they gets a couple days old because by that time, the account number may have been already changed.
“They also factor the pricing [of the data] according to how many cybercriminals have bought it so far,” Lyne said. “So they have a little bit of a stock market going on the value of the data and the likelihood of you being able to use it for fraud purposes.”
But there’s more, Lyne said. When cybercriminals sign up for the site, they have to provide a PPG or GPG key to authenticate themselves. Lyne said Sophos researchers signed up for the site and purchased some data for testing purposes; within two seconds of purchase, they received an email with PPG encrypted Excel file with all of the credit card account information.
“Frankly, it’s one of the better online shopping experiences I’ve had in my life,” he said. “Using PPG and GPG keys – man, I wish we could get real retailers to do stuff like that. This is impression best practices.”
However, Lyne warned that AlphaBay was offering more than just credit card numbers and email addresses. The most valuable information was credentials. For example, Lyne said that cybercriminals can focus their search for something as specific as VPN access for a company in a designated region or vertical industry.
Even more distressing, according to Lyne, was the advancement Sophos researchers discovered in social engineering attacks. Lyne said at last year’s RSA Conference, he delivered a presentation that show a “slight uptick in quality” of social engineering attacks that had moved beyond stock scam emails regarding Nigerian princes and instead employed more targeted, well-researched intelligence to fool targets.
“That trend is in absolute full brutal force [today],” Lyne said. “It’s staggering how good some of the scams actually are.”
For example, instead of sending scam emails to people offering tax refunds, which no longer have a high success rate, cybercriminals may send a resume or CV file to an organization that has published job openings. And Lyne said that even such emails with obvious misspellings or bad grammar still get clicked on by some users.
Document-based malware on the rise
The resume and CV file attacks are particularly concerning, Lyne said, because of another cybercrime trend: document-based malware. “There’s some interesting things occurring [where] a small subsection of cybercriminals are focused on document-based malware,” he said. “They are producing toolkits, just like we see from mainstream cybercriminals, that are specifically focused on [document] exploits.”
In addition to customizing document-based malware, Lyne said, many cybercriminals are using this type of attack to purposefully limit the distribution of their document-based malware and instead target just two or three thousand people in a specific vertical or company. And document-based malware combined with more advanced social engineering techniques can make for a devastating attack, Lyne said. For example, he said his favorite recent example was a document that was made to look like an encrypted file with confidential data.
“Isn’t that clever—using heightened awareness of security to actually get people to open something? If it’s encrypted, it must be important, right?” Lyne said. “They’ve really upped their game with social engineering techniques.”
Lyne said these cybercrime trends all add up to show an unsettling truth for enterprises: that attack methods are maturing, as is the underground economy around stolen data and credentials. “There are numerous things here that fly in the face of our usual expectations of how cybercrime works,” he said. “Things like only focusing on two or three thousand users, limiting distribution purposefully, custom crafting [of document-based malware] and use of excellence in social engineering.”