Reasons to be fearful 2020: Smishing, public Wi-Fi, deepfakes... and all the usual suspects

Too soon for New Year Resolutions?


Cybercriminals will continue to exploit tried-and-tested fraud methods but also adopt a couple of new takes and targets in the year ahead.

Predictions from fraud specialists at Experian suggest continued threats from careless use of public Wi-Fi networks. With ever more spots available, users need to be careful of what data they store on their phone and be wary when accessing public networks with unknown security.

Experian expects more use of "smishing" – phishing attacks via SMS. Folk are also more likely to fall for scams from an online community they're part of – whether that is a group connected to a political candidate, issue or other theme. The company recommended people take the same precautions with text messages from unknown mobile numbers as they would with emails from unknown sources.

Deepfake video and audio has mainly been used for political purposes so far, but Experian warned that as the technology moves downstream, it will be exploited by cybercriminals. The company said there have been three cases in the US where fake audio of executives has been used to defraud their companies. It also warned that there are few tools to spot deepfake audio and video content.

Certain types of company are more likely to face cyber attacks in 2020, Experian believes. It predicted that cannabis retailers and cryptocurrency exchanges will face more attacks and as immature businesses may not have made the security investment needed to protect their customers. Medical marijuana facilities may store medical records which would prove valuable if stolen. Cryptocurrency exchanges have already been hit by crooks who got away with $41m in Bitcoin in one case.

Finally, Experian warned that the increasing use of mobile payment systems – expected to hit $4.5 trillion by 2023 – will be an ever more tempting target for fraudsters. It noted that most NFC payment apps have decent security, but some handheld point-of-sale devices for swiping cards used at venues and retailers are less secure.

In a refreshing bout of honesty, Experian also rated the accuracy of the predictions it made last year.

Firstly was its forecast that biometric security would be targeted in 2019. The credit agency gave itself an A grade for this – pointing to the discovery of a million people's fingerprints on an accessible database.

But it only got a B grade for suggesting an enterprise-wide skimming attack could succeed in 2019.

It marked itself with another B grade for suggesting that a mobile network would see a simultaneous and successful attack on both Android and Apple phones.

But better marks for suggesting that a top cloud vendor would be breached. Capital One suffered a massive data loss and the hacker accused of the attack has been charged with targeting another 30 AWS-hosted companies.

And a mixed A grade for Experian's prediction that online gamers would fall victim to attacks from crooks posing as fellow, friendly gamers. 2019 did see data losses at Zynga and distributed denial-of-service (DDoS) attacks on gaming servers, but no active attacks from people posing as gamers.

The full report is available to download from here, if you're prepared to cough up an email and some other details. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022