As 2015 draws to a close, researchers from Proofpoint have analysed some of the key threats of 2015 and made predictions on what may lie ahead in 2016. Proofpoint believes that in 2016 cybercriminals will build on their 2015 successes by developing campaigns and exploiting vectors that target user willingness to click across email, social media and mobile applications.
“Next year we will see cybercriminals cast a wider net, move away from malicious document attachments and increasingly leverage emerging vectors such as mobile applications and social media platforms. Our six 2016 predictions all have one theme in common—cybercriminals are targeting the people behind devices and are looking to capitalize on their willingness to click.” Kevin Epstein, VP of Threat Operations at Proofpoint.
- Threat actors trade custom malware for commodity tools. Over the last year the robust underground cybercrime economy has increasingly provided bad actors with off-the-shelf malware that features many of the qualities historically found only in custom malware. For example, being undetectable by signature- and reputation-based defenses, resistant to analysis, stealthy data exfiltration, self-deletion and more. Proofpoint predicts that this trend will accelerate in 2016, with the use malware payloads and delivery techniques produced by commodity tools becoming the norm for all but the most highly-targeted attacks, with serious consequences for most current approaches to actor identification.
- Advanced threats will cast a wider net. The advanced threats of 2015 generally spread by one of two main vectors: as email attachments or dropped by exploit kits on users visiting sites with infected ad streams (aka, malvertising), distributing ransomware, among a variety of other payloads. In 2016, we will see a move to more broadly targeted advanced threat campaigns, building on a trend that began the second half of 2015, such as when Proofpoint researchers observed attackers changing the Dyre banking Trojan to target credentials of shipping and distribution companies, rather than their traditional financial and banking targets.
- Malicious document attachment campaigns retire by summer 2016. Proofpoint predicts that by mid-2016 the high-volume malicious document attachment campaigns will have disappeared almost entirely in the major markets (U.S., U.K., Europe). They will be replaced by a new type of high-volume campaign that combines effectiveness and scalability to target users. While it is too early to say with confidence what the new technique will be, recent trends suggest that it will include a return to some form of URL-based vector, with TDS and exploit kits providing robust filtering and delivery of payloads capable of resisting analysis.
- Social media takes a darker turn—watch out for fraudulent accounts and social mobs. In 2015, Proofpoint detected thousands of fraudulent social media accounts that support malware distribution, knock-off product sales, pirated software and more. In 2016, this trend is expected to spread across all verticals that make use of social media, to steal personal customer data or organization financial data. Social mobs will also become a genuine risk for organizations, aggressively hijacking conversations in order to advance a short-lived cause, often to the detriment of the organization’s brand.
- Mobile apps will choose riskware over malware… mostly. Proofpoint predicts that in 2016 more malware will be discovered on official app stores. Malware will be increasingly targeted at enterprises, where malicious behaviour will only activate once inside targeted enterprises, and will not trigger when run by consumers or app store vetting mechanisms. In 2016, mobile app attacks will also take advantage of the grey area around app behaviour and the lack of policing on third-party app marketplaces. As a result, there will be a drive in a proliferation of ‘riskware’ on the major app stores and genuinely malicious apps within third-party marketplaces. These apps will target users, aiming to steal user information and user funds, both directly as riskware and ransomware, and indirectly by sniffing and exfiltrating user logins and banking credentials, audio and video captures, and SMS interception.
- Businesses will be increasingly squeezed between the demands of data privacy and law enforcement. The momentum for data privacy and access will shift in 2016 to the side of law enforcement and intelligence agencies. Organizations will be increasingly caught between their need to demonstrate compliance with the demands of data privacy regulations while at the same time obliging law enforcement requests.