By Michael D. White, author and freelance writer
Over the past year, the internet has attracted an increasingly disconcerting number of predatory cybercriminals, who, like sharks to chum, are irresistibly drawn to unwary prey and the escalating dependence of businesses of every size and description on the necessity of sharing and storing critical information online.
Like the number of cybercriminals, the number of potential victims is increasing at an exponential rate.
The number of connected Internet of Things (IoT) devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030, according to London-based cybersecurity consultancy IHS Markit.
The IoT, it says, “is revolutionizing the competitive landscape by transforming everyday business practices and opening new windows of opportunity” with global data transmissions expected to increase from 20 to 25 percent annually to 50 percent per year, on average, in the next 15 years.
This past year, fueled by the increasing dependence on technology to handle the staggering volume of critical data, the contested presidential election, and the online landscape impacted by the COVID-19 pandemic, cyber thieves have been armed “with the fodder and bait to create some of the largest spikes in online scams, misinformation, and ‘phishing’ we’ve ever seen,” according to California-based fraud prevention company Bolster.
In November, the company released an informative report—the Q2 and Q3 2020 State of Phishing and Online Fraud Report. The report was the result of Bolster’s audit of more than one billion websites to determine what techniques, particularly phishing and online fraud, is affecting enterprises, small- and medium-sized businesses, non-profits, and the online consumer community.
According to Phishing.com, phishing is a cybercrime “in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
Phishing is nothing new. The first ‘phishing expedition’ began in the mid-1990s when the first generation of cybercriminals sought access to the data provided by individuals wanting to utilize AOL’s instant messenger and email systems. They devised methods to pose as AOL administrators to gain credit card and bank account information from unwary customers.
It wasn’t until 2004 that the first phishing lawsuit was filed. A case was brought against a California teenager who had created a sophisticated online replica of AOL’s site, which gave him the ability to gain sensitive information from users.
“Today,” says Bolster, “there are more than four million suspicious pages live on the worldwide web. And the number is growing.”
“The Internet is full of fraud and theft, and cybercriminals are operating in the open with impunity, violating copyrights, misrepresenting brands and advocating deceit overtly,” according to the audit.
Perhaps surprisingly though, the audit found that cybercriminals “are not lurking in the shadows of the dark net, instead they are using mainstream ISPs, hosting companies and free Internet services – the same that are used by legitimate businesses every day.”
During the second quarter of 2020, there was “an alarming, rapid increase of new phishing and fraudulent sites being created, detecting 1.7 million phishing and scam websites”—a 13.3 percent increase over the first quarter total. The increase, it found, continued to climb in Q2 and peaked in June 2020 with a total of 745,000 sites detected with, on average, an astounding 18,000-plus questionable sites created every day.
The most active phishing scammers, the company says, are using free emails accounts from trusted providers including Google with its free mail service, accounting for more than 45 percent of email addresses. Moscow, Russia-based Yandex was the second most popular email service with 7.3 percent, followed by Yahoo! with 4.0 percent.
In 2020, alone, Google has said that it has blocked more than 11,000 foreign government-sponsored potential cyber-attacks per quarter. The attacks have primarily targeted “critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransom ware campaigns.”
Bolster’s data revealed that, from January to September 2020, the top 10 global web hosting brands are home to 44,000 new phishing and fraudulent websites with approximately 4,000 new phishing and fraudulent websites created from these 10 brands alone.
“September saw a near tripling in volume with more than 15,000 new phishing and fraudulent website being created for these top brands, with Microsoft, Apple and PayPal topping the list,” the company said. “We anticipate the number of phishing and fraudulent activity to continue to rise,” said Shashi Prakash, co-founder and Chief Technical Officer at Bolster.
“Criminals,” he said, “are sharpening their knives of deception, planning new and creative ways to take advantage of businesses and consumers. Companies must be vigilant, arming their teams with the technology needed to continuously discover and take down these fraudulent sites before an attack takes place.”
The $$$ Cost
The number of cyber insurance claims has steadily risen over the last few years, up from 77 in 2016, to 809 in 2019. In 2020, there were 770 claims in the first nine months of the year.
That steep increase in claims has been driven, in part, “by the growth of the global cyber insurance market which is currently estimated to be worth $7 billion,” according to Munich Re, the German provider of reinsurance, primary insurance and insurance-related risk solutions.
A recent report released by the company highlighted a 70 percent-plus increase in the average cost of a cybercrime to a business or organization over five years to $13 million and a 60 percent-plus increase in the average number of security breaches.
Losses resulting from external incidents, such as DDoS attacks that flood data systems or phishing and malware/ransomware campaigns, account for 85 percent of the value of claims analyzed according to the report, followed by malicious internal actions (nine percent) – which are infrequent, but, said Munich Re, “can be costly.”
Accidental internal incidents, such as employee errors while undertaking daily responsibilities, IT or platform outages, systems and software migration problems or loss of data, account for 54 percent of cyber claims analyzed by number but, often, the financial impact of these is limited compared with cyber crime.
However, losses can quickly escalate in the case of more serious incidents.
The examples of companies, both in the U.S. and abroad, that have been impacted by what seems a wave-after-wave of never-ending cyber attacks are legion as they struggle to keep up in a game of high-tech whack-a-mole having to protect—and sometimes rebuild— their businesses, their hard-won client bases, and their personal and corporate reputations from those who would do them harm.
In November 2020, for example, Reuters reported that Home Depot Inc, the largest U.S. home improvement retailer, had reached a $17.5 million settlement to resolve a multistate probe into a massive 2014 data breach that gave hackers access to the payment card data of more than 40 million customers.
The settlement with 46 states and Washington, D.C., the news agency said, “stemmed from a breach between April 10, 2014, and September 13, 2014, affecting customers who used self-checkout terminals at its U.S. and Canadian stores.”
Hackers reportedly used a vendor’s user name and password to infiltrate Home Depot’s network, and deployed custom-built malware to access customers’ payment card information. The Atlanta-based retailer previously said at least 52 million people also had their email addresses exposed, partially overlapping those whose payment card data was compromised.
Home Depot did not admit liability in agreeing to the settlement, which requires that it hire a chief information security officer, and upgrade its security procedures and training.
Companies that collect sensitive personal information from customers “have an obligation to protect that information from unlawful use or disclosure. Home Depot failed to take those precautions,” said William Tong, attorney general of Connecticut, which, along with Texas and Illinois, led the probe into the data breach.
On the positive side, the details of one recent phishing attack that crossed international boundaries came to light when the FBI and local police authorities in Houston, Texas arrested the mastermind behind a million-dollar cyber-scam involving the sale of an airplane in Australia.
The arrest came as the result of a Business Email Compromise (BEC) attack—a type of scam targeting companies that conduct wire transfers and have suppliers abroad—that interfered with digital communications between a firm in New Zealand purchasing an aircraft and the Australian company that was selling it for more than $1 million.
By infiltrating the emails of the two companies, Texas-based cyber-scammers managed to replace the seller’s bank routing information with details of their own bank accounts in Houston, Texas. As a result the attackers were able to re-route $928,000, unrecovered to date, paid in two separate transactions into their own separate bank accounts.
The investigation capped a two-year international criminal investigation that has already resulted in several additional arrests and prosecutions. The individual at the center of the web of deceit has been charged with first-degree felony of conspiring to engage in organized criminal activity—specifically money laundering of $300,000 or more—and, if found guilty, could face as many as 99 years in prison.
More Than Phishing
While email-baited phishing is, far and away, the most common form of cyber attack, it isn’t the only weapon in the cybercriminals arsenal.
Demonstrating the agility of cybercriminals to never let a crisis ‘go to waste,’ the COVID-19 pandemic proved to be the impetus for a new wave of illegal activity demonstrated by the creation of more than a quarter-million malicious websites offering the unwary deals on everything from N95 facemasks, bogus coronavirus cures, and federal and state stimulus checks.
During the last quarter of 2020, for example, malicious websites feeding off the anxiety generated by the pandemic increased by 22 percent over the preceding two quarters of the year.
With state and local ‘lock down’ mandates in effect across the country and with brick-and-mortar businesses closed or operating under heavy restrictions, the amount of retail business conducted on line has skyrocketed over the past year.
The global leader in online retail sales, Amazon, has been a prime target with, in last September alone, a 250 percent increase of fraudulent websites using the Amazon brand that zeroed in on harvesting data from payment confirmations, returns and cancellations, and free merchandise for participating in customer satisfaction and product surveys.
On a much grander scale, in November, the cyber-security firm Prevailion Inc. released a statement that a Russia-based ransomware group responsible for a new wave of attacks against U.S. hospitals is laying the groundwork to cripple at least ten more medical facilities in the U.S.
According to the Insurance Journal, Prevailion’s analysis came soon after the FBI and two other federal agencies “issued a warning about an imminent and credible threat to hospitals and health-care providers from cyber attacks, including ransomware capable of locking entire computer networks.”
The hacking group responsible for the planned cyber attack is known among some experts as UNC1878 and others as Wizard Spider and “has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.”
The healthcare attacks have been ongoing since at least September, according to the cyber-security firm Crowdstrike. The victims included a medical center in Oregon, where doctors were forced to go ‘old school’ and keep track of patient medications and other critical information on paper rather than the digital systems they’ve come to rely on.
Reacting to the FBI’s alert, the New York Times wrote, “Cyberattacks on America’s health systems have become their own kind of pandemic over the past year as Russian cybercriminals have shut down clinical trials and treatment studies for the coronavirus vaccine and cut off hospitals’ access to patient records, demanding multimillion-dollar ransoms for their return.”
Be Aware And Prepare
Companies and individuals should prepare for a trio of new potential modes of cyberattack over the coming year, according to web security website TechHQ.
The first is web-skimming, or magecart: An attack where malware infects online checkout pages to steal payment and personal information of shoppers. “It’s a common type of attack in eCommerce and is attributed to 7 to 12 attack groups, who are behind the theft of millions of online shoppers’ credit card information. There have been an average of 425 Magecart incidents per month in 2020.”
Second, according to TechHQ, is penetrating the communications networks connecting the third-party vendors that support online sales, manufacturing operations, or other multi-level business activities.
“Cybercriminals often target third parties because they’re the weak links in the supply chain. On average, eCommerce sites use 40 to 60 third-party tools and intend to add three to five new third-party technologies each year, amplifying the risks. Outdated or fake plugins also add to the risk package. When used on companies’ websites, these compromised plugins can lead to the spread of malware.”
Third are breaches of widely-used and readily accessible open-source software which utilize codes that anyone can view, modify, or enhance.
“Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites,” says Juta Gurinaviciute, chief technology officer at NordVPN Teams, a Panama-based web security consultancy.
“Add the changes COVID-19 has brought,” he says, “and the problem has intensified even more. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks.”
What To Do…
E-commerce security is never a done deal. It is, in effect, a never-ending work in progress as cyber threats and hacking methodologies are evolving at an alarming rate. As a result, maintaining awareness and a security-focused mindset is a key to maintaining security.
“The increase in remote working due to the global pandemic has only amplified the risks businesses face from these threats, making the need for effective cyber-resilience essential,” said Joshua Douglas, vice-president of threat intelligence at Mimecast.
According to the Denver, Colorado-headquartered Identity Defined Security Alliance (IDSA), only 34 percent of companies with a “forward-thinking security culture” experienced an identity-related breach in the past year—far fewer than the 59 percent of companies with a culture characterized as “reactive.”
Forward-thinking companies, the IDSA says, “are defined as those that use an identity-centric security approach to reduce the risk of a breach or failed audit. The case for joining the ranks of these companies is clear: changes to network infrastructure and the perimeter in the form of cloud adoption, the use of mobile technologies, and an increasingly remote workforce have dramatically broadened the attack surface enterprises need to protect and been accompanied by a rise in credential theft.”
And How To Do It…
How to attack potential breaches of cybersecurity and be “forward-thinking,” rather than “reactive”?
Harsh as it may seem, says data security website, TechHQ, “it is essential to enforce zero-trust solutions that restrict third parties to information the website has authorized them to access while blocking access to consumers’ private and payment information, also known as least privilege.”
It is also imperative to detect the vulnerabilities within existing systems by conducting internal security assessments to identify serious security risks and uncover possible vulnerabilities in databases, hosts, and network architecture.
Implement firewalls—including web application firewalls—that assure connections are secure and passwords are strong, employ multi-factor authentication, apply intrusion detection systems, and constantly monitor and update web platforms.
In short, a preventative, proactive rather than reactive approach is essential to the successful security of healthcare data, while, at the same time, it is absolutely critical that everyone throughout the entire life cycle of the data be made aware of their essential role in guarding that data from pillage by cyber intruders.
This means organizations must apply a layered approach to cybersecurity, one that consists of attack prevention, security awareness training, roaming web security tied to email efficacy, brand exploitation protection, threat remediation and business continuity.”
Bio: Michael D. White is a published author with four non-fiction books and well more than 1,700 by-lined articles on international transportation and trade to his credit.
During his 35 year career as a journalist, White has served in positions from contributor and reporter to managing editor for a number of publications including Global Trade Magazine, the Los Angeles Daily Commercial News, Pacific Shipper, the Los Angeles Business Journal, International Business Magazine, the Long Beach Press-Telegram, Los Angeles Daily News, Pacific Traffic Magazine, and World Trade Magazine.
He has also served as editor of the CalTrade Report and Pacific Coast Trade websites, North America Public and Media Relations Manager for Mitsui O.S.K. Lines, and as a consultant to Pace University’s World Trade Institute and the Austrian Trade Commission.
A veteran of the United States Coast Guard, White has traveled in both Japan and China, and earned a degree in journalism from California State University and a Certificate in International Business from the Japanese Ministry of Trade & Industry’s International Institute for Studies & Training in Tokyo.