2021 security year review and our predictions of things that we think will be forefront in cybersecurity this year.
Earlier this year we made a number of predictions of things that we thought would be forefront in cybersecurity.
When iframes were first employed in the CDE for card processing, many people assumed they wouldn’t have to do anything else for security. We predicted that we were going to see some problems with this and, as it turns out, we really have.
It’s important to remember that payment iframes are simply an HTML element on a page. No matter how well you secure the data inside of that iframe, if you don't secure the access around it, it still gives the attackers an opportunity to steal data. What we've seen this year is an increasing number of cases where the attackers had some access to the environment where the iframe was housed.
In particular, hackers were able to change the origin. So from outward appearances it looked like the iframe was still operating correctly. But, if you examined it more in-depth you saw that the iframe was no longer being hosted on the processor side, it was actually being hosted on the home site, which gave the attackers the ability to capture the card data before it hit the iframe.
We have seen an increase in that tactic this year. Until we can get the message out about the importance of addressing the security outside of the iframe, it's going to continue to be a problem. Even though changes in technology make our lives easier, this also presents new problems as well.
This prediction was almost a cheat because with COVID19, companies, churches, and organizations moved to virtual meetings. It really wasn't a stretch of the imagination to say we're going to start seeing virtual meetings get compromised. We haven't seen a lot of that impacting credit card processing or anything along those lines, but we have seen it in other ways. For example, a minister may hold a virtual church service and suddenly, a pornographic site takes over your audio.
However, the potential for bigger problems still exists. With businesses holding virtual meetings, it’s important to pay attention to simple things like who is on your call. If you see a lot of foreign phone numbers that you don't recognize, you might want to assume those are not employees of your company and that your security may be compromised.
Even though vendors like Zoom and Microsoft Teams have done a good job trying to minimize some of the damage from people randomly joining calls and listening in on sensitive content from a company or taking over your meeting, Zoom bombing attacks still occur frequently. And while they can be morbidly entertaining, these online meeting bombs do pose a security risk, so they shouldn’t be ignored.
I think we've all gotten emails with a domain that we're supposed to click on that looks legitimate, but the spelling is one character off. Now there's something even trickier, called obfuscation. This is when the attacker creates their own website to mimic a legitimate website and the URL that would guide a user to it looks almost identical to the actual URL. For example, if a hacker wanted to do this with Costco’s website, they might replace the o’s with zeros, so that, at a glance, the user might not recognize the difference between the two URLs.
Hackers are getting even better at these attacks because they have figured out that they can employ unicode characters in their URL which may make the URLs actually look identical. An “I” in an English character is going to look the same as an “I” in unicode, but the computer will treat them differently. That one digit alone is enough to send a user to an illegitimate website.
We’ve seen improvements with EMV chip cards, but we’ve also seen advancements in physical skimming. Chip cards did revolutionize things here in the United States. Prior to the EMV chip on your card about 80% of the investigations we were performing were in a card present environments - hotels, restaurants, hardware stores, etc. With the widespread implementation of EMV, that number dropped to 22%. Around 15% of our cases were point of sale related.
Physical skimming is no longer as widespread and the technology required for skimming is higher level. However, some attackers have developed skimmers that are as thin as a piece of tape, so if attackers put that into a device like a gas pump or something like that, it’s very difficult to detect. They don't have to get inside devices like they used to.
One of the problems with old versions of skimmers is that attackers had to get power to their skimmers, so they had to be inside the pump or inside the cash register, or under the counter of a store. Well, these new skimmers that have recently been developed actually derive their power from that little electronic blip that occurs in the chip itself when the card is inserted. That is sufficient energy to power the skimmer and capture the card.
So again, even with all the security advances that we have, attackers never stop working. And when the industry rolls out an implementation of new technology, the attackers then have seemingly unlimited time and energy to figure a way to attack it. And that's what we've seen in these wafer thin skimming devices that have been found on some terminals in devices.
So with the EMV, we predicted that ecommerce would get more attention from hackers. Right now 85% of our cases are ecommerce attacks. It was around 2017 when magecart attacks first appeared on the radar. These are cases where attackers employ malicious JavaScript code into a shopping cart process that captures the card. What makes them especially effective is they don't have to have server access for the system; they can do it from the public-facing side.
Card processing used to be an extremely secure environment because the only thing occurring was the actual processing and communication between the device and the processing elements. Now, there is a lot more going on in the shopping cart process. Third parties can run data analytics on the shopping cart or, there is malvertising, which is when you're on a site making a purchase and you see advertisements in the margins. All these pieces of code that are coming in are oftentimes from third parties. This has given attackers numerous opportunities to breach a site.
This is one of the ways we first stumbled onto third party skimming. A few years ago we were analyzing a site that credit card brands were confident had been breached. However, in their PCI investigation the investigator didn't find anything. They ended up employing us to do a second PCI investigation and we didn't initially find anything either. We continued to test the site by running transactions in a kind of live environment and we eventually found how the data was captured.
Turns out there was an ad that was malicious. This ad would only appear every 3-4 days on the site and when that ad was present, they were capturing credit card data. This was brilliant on the part of the hacker because it made it so difficult to detect the malware. Common antivirus or file integrity monitoring isn't going to be able to detect it. You actually have to run checks and dig very deep during the checkout process. This is why we developed Shopping Cart Monitor; a service that detects eskimming and malicious javascript.
Ransomware has become an especially vicious attack method for a couple of reasons. First, it’s becoming more accessible to the average person. When ransomware first became a threat in the cyberworld, it required a higher level of technical skills. But now, there are companies that create ransomware and malware and sell it so that people with relatively low technical abilities can use it.
The second problem we see is that if companies pay the ransom, oftentimes the credentials that the bad guys provide them with don’t actually work. Then the companies still don’t have access to their data and they are out a significant amount of money.
The third main issue we see with ransomware is that when companies choose not to pay the ransom and instead rely on their backups, their backups are usually not sufficient or they weren’t properly protected so their backups can also be infected with the ransomware. For this reason we always highly recommend ensuring that you have a sufficient backup that is properly protected so that if you do get hit with ransomware, you won’t need to pay the ransom and your backups will be effective. This type of planning and preparing can save your business.
This year has been absolutely nuts with the amount of breaches and vulnerabilities that flooded the news. We ended the year with the Log4j Vulnerability, however the year’s biggest breaches included some very big names. Supply chain attacks and 3rd parties have been very popular in 2021. We all heard the news featuring names like SolarWinds, Colonial Pipeline, Robinhood, Twitch, Park Mobile as well as all the data scraping breaches that hit Facebook and LinkedIn.
Threat Actors have increasingly turned to using Ransomware as a Service (RaaS) operations to help increase the speed, efficiency, and velocity at which they can attack. They will continue using these services to go after companies and businesses of all shapes and sizes.
In our Threat Intelligence Center, we discovered countless threat actors using more than 150 different attack vectors to target our clients beyond just ransomware. On behalf of our clients, we proudly stopped cyber attacks from well over 70 different countries in 2021. It was an exhausting but rewarding year to be a cybersecurity professional when you calculate the volume of bad guys our SecurityMetrics Threat Intelligence Center prevented from hurting businesses, employees, and their customers.
If I were in your shoes, my efforts would focus around some critical areas. Always do what is best for the business, however keep an eye on threat actor trends.
In the past year, we have seen an uptick of brute force and password spray attacks targeting SMBs. One of the best ways to combat these attacks is ensuring your using the latest industry best practices for passwords. For example, implementing multi-factor authentication, password managers and even a zero trust strategy goes a long way towards helping your business become more secure. Employees should be encouraged to never use their work passwords in their home environment. You may want to consider updating your password policies and review them with all employees including contractors. Good cyber hygiene is everyone’s responsibility to protect both the business and customers.
The SecurityMetrics Threat Intelligence Center has seen very creative and sophisticated forms of social engineering this past year. The variety of phishing attacks targeting SMBs is surreal. We have seen vishing attacks that impersonate CEO’s voices to email scams that claim your business violated Digital Millennium Copyright Act and must pay a fine. The increase in malicious macros hidden inside documents and spreadsheets makes it very challenging for employees to spot with their eyes.
Our threat analysts recommend all businesses focus their efforts on continual monthly or quarterly security training and awareness. The SecurityMetrics Threat Intelligence Center hosts a bi-weekly threat briefing on our Youtube Channel that showcases the newest Social Engineering Threats.
You can find this channel HERE.
The last item we need to discuss is focusing your efforts around any weaknesses in your Windows and authentication architecture. For some businesses this may mean automating your patch management since the volume of patches to keep up with will only get larger and larger into 2022.
You may want to also consider focusing your efforts on securing your network perimeter, closing your security gaps, especially your network perimeter in your cloud as threat actors continue to pivot to these areas.
It is never too late to develop a strategy and plan for zero trust, endpoint security, regularly testing your backups, or getting your cloud locked down. All of these concerns are areas that the SecurityMetrics Threat Intelligence Center has placed greater emphasis on and will continue to with our clients.
Audit standards are the floor of what you should be doing - not the ceiling. A lot of people will say they are compliant with PCI, HIPAA, HITRUST, or any of these standards, but that is the minimum requirement.
Due to Covid the new version of PCI hasn’t come out yet. Additionally, for version 4.0, the PCI council is emphasizing the role of soliciting and responding to feedback about difficulties and hurdles in becoming compliant to security standards and incorporating this feedback into the new version.
The new version is going to be the same 12 areas because the basics always stay the same, but they are adding more cloud considerations and there are other areas in the standard that are expanding.
Some people may be worried about how long they have to transition to the new requirements, but you have plenty of time. There will be 22 months of transition until 3.2.1 is retired and then beyond that, another year to implement future data requirements.
To wrap up, I want to discuss the zero trust strategy proposal that's in the works right now. Seeing guidelines being provided by large organizations is exciting because security has to come from the top down.
The zero trust strategy contains a lot of proposals that should sound familiar: better identity and authentication controls, enterprise-wide single sign on, multi factor authentication, stronger, longer passwords, encrypting your internal network traffic, segmenting your networks.
All these mandates should be familiar, but the fact that the President is talking about it will hopefully convince people to listen and maybe even act.
So we've had some interesting takeaways from the year of 2020. Now, in 2021, we're seeing a lot of carryover from the effects of 2020. We're still seeing people do remote work and I think the remote work point is really interesting. There's more people working from home on their own computers and on their own home networks. This is causing companies to ask, “How do I manage that? How do I know what they are doing?
The fact is that you can’t control what they’re doing, so you have to get them to use processes, procedures, and applications that will protect your data. Companies have to be pretty creative with these solutions. And that's what I think will be the future focus of 2022 and beyond.
If you would like to stay updated on current security news, we highly recommend subscribing to our news feed where we curate a list of the top news stories, vulnerabilities, patches and more.
.svg)
