Digital extortion and business email scams will gain momentum in 2018: Trend Micro

Throughout the year in 2017, security has remained a priority for enterprises from all over the world. It will continue to remain so in the next year.

According to Trend Micro's Security Predictions for 2018, digital extortion will be at the core of most cybercriminals’ business model. Internet of things will emerge as a threat in the form of vulnerabilities in IoT devices that will expand the attack surface. The third big factor that will drive investments in security will come in the form of business email scams, machine learning and blockchain applications - promising both promises and pitfalls.

Companies will face the challenge of keeping up with the directives of the General Data Protection Regulation (GDPR) in time for its enforcement. Not only will enterprises be riddled with vulnerabilities, but loopholes in internal processes will also be abused for production sabotage. These are the threats that will make inroads in the 2018 landscape. Trend Micro has looked into the current and emerging threats, as well as the security approaches tailored for the  landscape. Read on to find out how to make informed decisions with regard to the security focus areas that will figure prominently in 2018.

1. The Ransomware business model will still be a cybercrime mainstay in 2018, while other forms of digital extortion will gain more ground

According to the report, ransomware is not going away anytime soon. On the contrary, it can only be anticipated to make further rounds in 2018, even as other types of digital extortion become more prevalent. Cybercriminals have been resorting to using compelling data as a weapon for coercing victims into paying up. With ransomwareas-a-service (RaaS) still being offered in underground forums, along with bitcoin as a secure method to collect ransom, cybercriminals are being all the more drawn to the business model.

2. Global losses from business email compromise scams will exceed USD 9 billion in 2018

With Business Process Compliance (BPC), cybercriminals learn the inner workings of the organization, particularly in the financial department, with the aim of modifying internal processes (possibly via corporate supply chain vulnerabilities) and hitting the mother lode. But given that it requires long-term planning and more work, BPC is less likely to make headlines in 2018, unlike the much simpler BEC.

3. Cyber propaganda campaigns will be refined using tried-and-tested techniques from past spam campaigns

Fake news and cyberpropaganda will press on because there has been no dependable way to detect or block manipulated content. Social media sites, most notably Google and Facebook, have already pledged a crackdown on bogus stories propagating across feeds and groups, but it has had little impact so far.

4. Threat actors will ride on machine learning and blockchain techniques to expand their evasion techniques

While machine learning definitely helps improve protection, we believe that it should not completely take over security mechanisms. It should be considered an additional security layer incorporated into an in-depth defense 

strategy, and not a silver bullet. Another emerging technology that is poised to reshape businesses and that we see being abused is the blockchain. Blockchain technology has generated a lot of buzz in the context of digital cryptocurrencies and as a form of no-fail security. 

5. Many companies will take definitive actions on the general data protection regulation only when the first high-profile lawsuit is filed

Companies waking up to the GDPR enforcement, therefore, will find the importance of having a dedicated data protection officer (DPO) who can spearhead data processing and monitoring. DPOs are particularly needed in

enterprises and industries that handle sensitive data. Companies will be required to review their data security strategy, including classifying the nature of data and distinguishing EU data from data associated with the rest

of the world. 

6. Enterprise applications and platforms will be at risk of manipulation and vulnerabilities

Enterprise systems will not be the only ones targeted; in 2018, we expect to continue to see security flaws in Adobe and Microsoft platforms.According to the Trend Micro report, we predict that in 2018, however, weaknesses in JavaScript engines will beset the modern browsers themselves. 

To tackle these trends and threats, Trend Micro recommends best practices and sustained protection for end-users:

• Change default passwords. Use unique and complex passwords for smart devices, especially for routers, to significantly reduce the possibility of attackers hacking into the devices

• Set up devices for security. Modify devices’ default settings to keep privacy in check and implement encryption to prevent unauthorized monitoring and use of data

• Apply timely patches. Update the firmware to its latest version (or enable the auto-update feature if available) to avoid unpatched vulnerabilities

• Deflect social engineering tactics. Always be mindful of emails received and sites visited as these can be used for spam, phishing, malware, and targeted attacks

The report highlights that enterprises and users are better positioned if protections in place are able to cover the entire threat life cycle with multiple security layers. From the email and web gateway to the endpoint, having a  connected threat defense ensures maximum protection against the constantly evolving threats of 2018 and beyond.