SAN FRANCISCO -- Cybercrime trends point to an alarming increase in advanced social engineering techniques and customized, targeted document-based malware attacks in 2016, according to Sophos research.
James Lyne, head of global security research at U.K.-based Sophos Ltd., and an instructor with the SANS Institute, spoke about these cybercrime trends during a presentation at RSA Conference 2016 on Wednesday, and offered several warnings to enterprises about specific emerging threats. Lyne said Sophos' latest research showed tried and true attack methods and threats, such as drive-by downloads and phishing attacks, are as common as ever.
But Lyne also explained that cybercriminals today are moving to new, greener pastures, and are becoming much better at making money from stolen information. In fact, he said cybercriminals have built a mature underground economy on the Dark Web, which puts legitimate e-commerce efforts to shame. Specifically, Lyne offered the example of AlphaBay Market, a site on the Dark Web that allows cybercriminals to buy, sell and trade data. He showed how the site would automatically remove credit card numbers for sale when they get a couple days old, because by that time, the account number may have been already changed.
"They also factor the pricing [of the data] according to how many cybercriminals have bought it so far," Lyne said. "So, they have a little bit of a stock market going on the value of the data and the likelihood of you being able to use it for fraud purposes."
But there's more, Lyne said. When cybercriminals sign up for the site, they have to provide a PPG or GPG key to authenticate themselves. Lyne said Sophos researchers signed up for the site and purchased some data for testing purposes; within two seconds of purchase, they received an email with a PPG-encrypted Excel file, with all of the credit card account information.
"Frankly, it's one of the better online shopping experiences I've had in my life," he said. "Using PPG and GPG keys -- man, I wish we could get real retailers to do stuff like that. This is impression best practices."
However, Lyne warned that AlphaBay was offering more than just credit card numbers and email addresses. The most valuable information was credentials. For example, Lyne said cybercriminals can focus their search for something as specific as VPN access for a company in a designated region or vertical industry.
James Lynehead of global security research, Sophos
Even more distressing, according to Lyne, was the advancement Sophos researchers discovered in social engineering attacks. Lyne said at last year's RSA Conference, he delivered a presentation that showed a "slight uptick in quality" of social engineering attacks that had moved beyond stock scam emails regarding Nigerian princes, and instead employed more targeted, well-researched intelligence to fool targets.
"That trend is in absolute full brutal force [today]," Lyne said. "It's staggering how good some of the scams actually are."
For example, instead of sending scam emails to people offering tax refunds, which no longer have a high success rate, cybercriminals may send a résumé or CV file to an organization that has published job openings. And Lyne said even such emails with obvious misspellings or bad grammar still get clicked on by some users.
Document-based malware on the rise
The résumé and CV file attacks are particularly concerning, Lyne said, because of another cybercrime trend: document-based malware. "There [are] some interesting things occurring, [where] a small subsection of cybercriminals are focused on document-based malware," he said. "They are producing toolkits, just like we see from mainstream cybercriminals, that are specifically focused on [document] exploits."
In addition to customizing document-based malware, Lyne said, many cybercriminals are using this type of attack to purposefully limit the distribution of their document-based malware, and instead target just 2,000 or 3,000 people in a specific vertical or company. And document-based malware combined with more advanced social engineering techniques can make for a devastating attack, Lyne said. For instance, he said his favorite recent example was a document that was made to look like an encrypted file with confidential data.
"Isn't that clever -- using heightened awareness of security to actually get people to open something? If it's encrypted, it must be important, right?" Lyne said. "They've really upped their game with social engineering techniques."
Lyne said these cybercrime trends all add up to show an unsettling truth for enterprises: Attack methods are maturing, as is the underground economy around stolen data and credentials. "There are numerous things here that fly in the face of our usual expectations of how cybercrime works," he said. "Things like only focusing on 2,000 or 3,000 users, limiting distribution purposefully, custom crafting [of document-based malware] and use of excellence in social engineering."
Social engineering hacker publishes FBI records
Understand what data is valuable to prevent social engineering attacks
How pen testing can thwart social engineering threats