The one constant in the world of information technology is change. This is also true when applied to the threats to the security of consumer’s devices and data. Despite changes into the bad actors’ techniques, what has not changed are the bad actors’ high-level goals:
- Steal and misuse victims’ personal information;
- Intimidate and extort resources from victims; and
- Control victims’ devices so they can be used as a tool for a grander exploit.
While there is much overlap between the security concerns for consumers and businesses, this post will look at these concerns from the consumer’s perspective.
Often, the security concerns below combine to impact victim, rather than each being standalone. The more you can do to protect yourself from any one of these can also reduce the chance that you will be affected by some of the others.
Phishing is a technique that focuses the attack on what is often a system’s weakest link – the human! Both mobile and desktop operating systems are more secure today than in the past, so human fallibilities are often an easier target than system vulnerabilities (though that is no reason to stop applying system updates). Phishing is an example of social engineering, tricking a person into taking an action that will ultimately lead to a negative outcome for the victim. A report from Fireeye reports that 91% percent of cybercrime starts with email.
A phishing attack typically initiates contact with the victim via email or messaging, though it could also use a phone call. The victim will be encouraged to disclose some of their personal information or install malicious software on their system, such as by opening an infected PDF document. Disclosed personal information may be used by the attacker to commit identity theft. Malicious software could be used to do the same, or to use the victim’s computer as part of a larger network of devices (a ‘botnet’) to attack another target, such as a web site.
To protect yourself from being phished, maintain a healthy level of suspicion when you receive unsolicited email, instant messages or phone calls. Do not disclose personal information or open suspicious attachments on your devices. If in doubt, delete the suspicious message or hang up the phone. A pseudonymous email account could make it considerably more difficult for phishers to connect your email activities to your actual identity, which is a big part of most phishing attacks.
Ransomware is malicious software that denies a victim users access to their data, possibly by encrypting the data until a ransom is paid. Ransom might have to be paid in a cryptocurrency such as bitcoin to make it more difficult to trace the criminal who receives the payment.
Ransomware usually affects desktop computers running Microsoft Windows or MacOS operating systems. It typically spreads through phishing, so limiting your exposure to being phished is the best form of prevention. Endpoint security software may detect and block some ransomware.
If you are the victim of ransomware, paying the ransom is usually not advised, as it encourages the criminal to raise the ransom or attack you again after the ransom is paid. Backups of your data can help you recover if you need to re-install your systems. You should check your backups regularly, whether you choose to store your backups on removable storage media, your home network or a cloud storage service.
Read more: https://www.us-cert.gov/Ransomware
Cryptojacking uses the computing power of a victim’s device to mine cryptocurrency for the financial benefit of the attacker. Cryptojacking is unlikely to steal a victim’s personal information. Instead, the victim’s computer is a tool that the attacker uses. The occurrence of cryptojacking can vary according to the value of major cryptocurrencies.
A victim’s computer might be cryptojacked because the victim inadvertently installed malicious software attached to a phishing email, or it may be that a legitimate web site has become compromised, completely beyond the victim’s control. A victim may suspect that their device has been cryptojacked if their computer runs more slowly or noisily. A victim may notice this change after recently installing software or accessing a suspicious web site.
Follow the recommendations above regarding protecting against being phished. In addition, endpoint security software that protects against malware may detect or block access to web sites known to contain cryptojacking software.
Formjacking is an emerging threat used to steal user information from web applications. Formjacking is conceptually similar to skimming payment cards at ATMs and gas pumps. An attacker exploits a vulnerability in a web site’s code or operating environment to inject malicious code to exfiltrate the data a victim enters into the web site’s forms, e.g. payment information or personal data. From there, the attackers can use the information to steal a user’s identity, make unauthorized payments or perform other fraudulent activities depending on what data is obtained from the web forms.
Formjacking is difficult for a victim to detect. The vulnerable web site is the web site they are used to accessing – same hostname, same use of HTTPS, same authentication method. The user’s original transaction on the web site proceeds as normal, so victims may only become aware of an issue many days or weeks later, when their stolen information is used by the attacker.
Endpoint security software that protects against malware may detect or block access to web sites known to contain formjacking software.
Vulnerable IoT Devices
Internet-of-Things (IoT) refers to the collection of Internet connected devices such as home automation and monitoring, Internet connected toys, TVs and other devices that aren’t general purpose computers. These devices are often developed with minimal regard for security and privacy in the rush to get their cool products in the hands of consumers.
IoT devices are often vulnerable from the moment they are manufactured. It may not be obvious and easy for the consumer to secure the device. Once installed in a consumer’s home and configured on their WiFi network, vulnerable devices that are contactable from the Internet could be exploited by already infected devices, via their weak (often default) configurations. Another method of infection could be from malware delivered via email and inadvertently executed by the consumer. Once infected, devices could infect other devices or become part of a global fleet of bots to attack other systems. Mirai is an example of malware that works in this way.
While it could be helpful for governments to regulate for more secure IoT devices, that is not in place today. To protect their devices, a consumer can do the following:
- Minimize the IoT devices in your home as much as possible. For example, if you have a Smart TV but never use the connected features, why connect the TV to your WiFi network?
- Follow the advice above to protect yourself from being phished.
- For IoT devices that you will connect to your WiFi network, check the manufacturer’s documentation for how to harden its configuration by changing default usernames and passwords, disable/limit remote access to the devices, reducing how much personal information is associated with the device and periodically update your device’s software.