FortiGuard Labs Perspectives
As companies continue to adjust to the ever-evolving new normal in 2021, there will undoubtedly be additional shifts in work environments, internet usage, and the general status quo. With this in mind, Fortinet’s FortiGuard Labs’ Derek Manky and Aamir Lakhani joined us virtually to provide insights into what types of attacks security researchers are seeing now and what they expect from the cyberthreat landscape this coming year.
Derek - The past few months were quite unique. Unlike typical shopping seasons, every day is Cyber Monday this past year. That continues to hold true. We’ve seen a steady pace toward online shopping. Some things we’re seeing are server-side attacks—mostly focused on shopping cart information. Obviously, by focusing on the shopping cart, attackers are going after credit card information. We’ve been saying that passwords are effectively dead, but credit card information still seems to be alive and well.
Aamir - What we started seeing in 2020, and what’s continued to grow, is what we call e-skimming attacks. Attackers go on legitimate websites, take over the shopping cart, inject their own code, and find vulnerabilities. Sometimes these are known vulnerabilities, and sometimes they’re not. It’s like a man-in-the-middle attack where they’re capturing credit card information and sending it back to their own domain. Then they usually sell it in bulk or use it for fraud.
Aamir - A traditional skimmer is basically a fake credit card reader that usually goes over normal credit card readers. When you put in a credit card, the fake credit card reader captures information, and then attackers use that to clone the cards. These physical skimmers are used in ATMs, bank systems, and at gas stations. In the past, attackers had to physically grab these systems and take them with them to retrieve their information. On the other hand, the new physical skimmers are Bluetooth-enabled, and they’re really popular. We’ve been seeing a lot of them sold on the Dark Net. All that the attackers need to do is install these skimmers, then just drive by the gas station or wherever they’ve set them up, turn on their laptop – or even just use a smartphone, download the information, and drive away. They don’t have to touch anything or risk getting caught. That gives them a lot of flexibility.
Derek - This is modern-day wardriving. Old school wardriving typically used Wi-Fi as a vector to get into networks and do passive monitoring for credentials and things like that. But this is a lower risk to the attacker because it’s quicker. In the older days of wardriving, it could look suspicious. It was the proverbial ‘someone sitting in a van or a car on their laptop outside of a house because it took some time to collect packets and do these things.’ But in this case, it can be in and out, and it can look like normal activity.
Derek - What we’ve seen kicking off this year with the vaccine rollouts are phishing attacks that offer bogus hope by claiming to provide cheap vaccines. There’s also the other side where we’re seeing attackers going after the medical providers themselves, trying to sell bulk vaccines. This is a type of supply chain attack. We saw that with personal protection equipment when that was sparse earlier last year due to COVID. Expect more of that as they try to piggyback and ride that wave.
Aamir - COVID-19 attackers are using the opportunity to take advantage of emotions, which always seem to evolve alongside the news cycle. Right now, the COVID-19 vaccine is still very hard to get for a lot of people, even for a lot of medical providers and hospitals. Attackers are using the same techniques that they always have to create that sense of urgency. They’re saying things like, “You’re in a group that’s not going to get the vaccine until summer, but we can get it to you right now.” People want to click on it right away to secure their spot, but unfortunately, as soon as they click, they discover it was a fraud, and they’ve lost money.
Derek - Malware code is more flexible and able to reach further into the attack surface. One malware campaign can have a wide focus across different devices and platforms. Adrozek, for example, is a malware family that has been successful across multiple browsers and applications, and it has a big infrastructure. They’re controlling hundreds of thousands of domains. The malware itself does browser injection in order to seed malicious search results once that browser is infected. Once you load a malicious DLL extension, it’s essentially game over. What people don’t realize is that a lot of edge devices also have browsers.
Aamir - Exactly. Everything pretty much has a browser. Even if you’re not opening up an application and putting in a website’s address, browsers are needed for a device to receive communication and updates. Attackers are taking advantage of devices’ built-in browser code. People have gotten used to assuming that browsers are secure. They get updated automatically a lot of times. But browsers are essentially the new edge for a lot of people. Attacks don’t necessarily have to find vulnerabilities in the browser, but just the backend – how the browser processes things like searches, how it delivers an ad, or any other process that gives attackers an opportunity. Botnets allow attackers to create hundreds of thousands of drones that can attack a wide variety of machines, including Windows systems, Mac systems, Linux, edge devices, IoT devices, and so on.
Derek - I think we’ll continue to see the things we just mentioned, but as lockdown restrictions are lifted, we’ll see things that we didn’t really see last year but did see in years prior. They’ll just come in new variations. Phishing attacks will shift to target whatever is on the front of people’s minds. Later this year, it might be things like travel or restaurant promotions, for example.
Aamir - We’re definitely going to see an explosion of attacks on travel-related things later in the year. Everyone will want out. You’re going to get emails with special discounts on airfare, hotels, and vacation packages. There will be a lot of fraud in that because everyone’s going to be jumping. Everyone’s already jumping.