A more connected world means more opportunities for individuals and businesses to communicate and make connections – and more opportunities for hackers to hijack computer resources for their own nefarious ends. In 2014, say three top security experts, expect more and more sophisticated attacks, as hackers take advantage of both smart home technology, and the increased concern and desperation among those seeking work.
As has been the case in recent years, say Andrei Dolkin, Yariv Lenczer, and Avishag Danieli – among the top experts at Israeli security company CyberArk – “social engineering” will remain a prime method for hackers to get control of users’ computers. Sophisticated attacks are already de rigueur for many users, as hackers send out links that look for all the world like the “real thing,” with messages from banks, on-line stores, “official” looking sites, or even friends and relatives.
Once clicked, though those links lead back to a web location where, once a user connects, they download a piece of malware that will give the hacker total and utter control over the hapless victim’s computer or device. Once in charge, hackers can enroll a victim computer – or, in most cases, their whole network – into a botnet system, the combined processing power of which is used to conduct hacking attacks against banks and government servers, to send out reams of spam, to steal credit card or other financial data, and so on.
Social engineering, say the experts, has proven to be one of the most important and useful arrows in the hackers’ quiver, because the victim “voluntarily” installs the malware onto a device – thus saving the hacker the trouble of having to get past anti-virus or other protective software. If some is good, more must be better – so, say the experts, expect more and more sophisticated social engineering attacks in the coming year.
One sad twist on the social engineering phenomenon, say the experts, is the vulnerability of the masses who have been out of work for months, or even longer. Following the advice of “how to get a job” gurus, many are using business-oriented networking sites like LinkedIn to connect with others, and spread the word that they are seeking work. But using social engineering tactics, hackers have already managed to infiltrate these groups and steal information, logins, and other data – which they promptly used to rip off victims, their families, and their LinkedIn connections.
In one case, say the experts, a hacker joined a closed LinkedIn group and claimed to have a high-level security clearance in a U.S. intelligence agency. Trusting the hacker, users in the group unveiled information that they should have kept private – and found that their credit cards and bank accounts had been compromised. Other hackers target employees of specific companies, building a network of LinkedIn of employees, and send out links to malware. In other cases, hackers have joined groups of LinkedIn users seeking jobs, and talked members into clicking on links that installed malware on their devices.
In response to press articles about the phenomenon, LinkedIn said that when it came to social engineering, there was little they could do. “We recommend members connect only with people that they know and trust,” a company spokesperson said. “All Internet users should of course be aware of the fact that there are bad guys out there who unfortunately resort to things like phishing attacks, and that people should use common sense and tools available to them to ensure that they don’t fall prey.”
A related social engineering trick hackers are using against the unemployed, said the experts, was targeting workers in industries and companies where cutbacks or layoffs have been announced. Capitalizing on the panic of the newly-unemployed – or those who fear they will be next – hackers distribute links to phony networking groups, support sites, headhunter sites, and even legal rights information sites. Needless to say, all those who fall for the trick find that their devices are “owned” by the hacker.
Another major trend, said the experts, will be the expansion of “cybercrime-as-a-service.” Similar to other one-stop web services, CAAS entails a customer trying to break into sites or databases of rivals – to gather information or for more destructive purposes – logging onto a cybercrime portal where they will be able to order the actions and activities they want. “Access to privileged accounts, we believe, will be one of the ‘hottest’ hacker products in the coming year,” said Dolkin. “We already saw this trend in 2013, in the case of the hacker Andrew James Miller, who used privileged accounts to get into numerous U.S. government sites.”
As if preying on the unemployed wasn’t enough, the CyberArk team said, homeowners who have set up “smart” devices” in their homes need to be concerned that they are protected as well. “Electricity meters, Smart TVs, smart air conditioners, and more are all Internet-connected now,” said Dolkin. These devices use the same connectivity technology as routers and modems – meaning that they have built-in passwords and user-logins.
Changing the password on a smart refrigerator (already a hot item in the Far East, these fridges can tell you when you are out of milk or have too many leftovers) is probably the last thing anyone would think of – but a smart appliance owner’s neglect or apathy is gold to a hacker. “It’s not just the refrigerator or an individual smart appliance that is at risk,” Dolkin added. “The entire house is networked, usually using the same router, so once a hacker is in, they can access other components of the network.”
Along with these “new” threats, said the team, the “same old” threats will still be with us – just more so. More small business will be targeted by hackers (they are easier to “hit,” said the team), more organized crime groups will get involved in the very lucrative business of cybercrime, and more people and businesses will fall victim to hack attacks. “Our best advice,” said Dolkin, “is to get educated, and of course, never click on a link you’re not sure about.”