Formjacking passed cryptojacking and ransomware to become the top threat highlighted by Symantec in 2018, although both of these other types of attacks continue to be problematic for the commercial market in particular.
Symantec’s 2019 Internet Security Threat Report is out, and there has been significant changes over the last year in the specific threats attackers use to try and steal money online. The one constant, however, is that SMBs still bear a disproportionate amount of risk compared to both enterprises and consumers.
“What the report represents is a lot of transition points,” said Robert Arandjelovic, Director of Product Marketing for Symantec Americas. “There’s no new calamity on the horizon, but it’s not just a continuation of the ‘same old same old’ – which recently has been ransomware and cryptojacking.”
These threats are still significant, but Symantec identified formjacking as having become the principal danger by the end of 2018.
“Cryptojacking and ransomware were about trying to find ways to trick users and install something,” Arandjelovic said. “With formjacking, criminals have found a new way to get their money. They have gone straight to the trough, compromising websites by injecting code. They go to a normal website where people conduct e-commerce transactions, so you are actually on the legitimate web page. The injected code copies the credit card data and diverts it.”
Code injections have been around for years, and companies had gotten savvier at handling them, but the formjackers have found a new way in.
“With formjacking, they are using an ability to exploit third party tools like chatbots for support,” Arandjelovic said. “Those third-party tools tend to be the vehicles in, and give them a foot in the door.”
The credit card information is typically sold on the dark web. The average return there is about $45, much more than other types of personal data sells for online. Given that Symantec data shows that 4,818 unique websites were compromised with formjacking code every month in 2018, ten cards stolen from each compromised web site translates into up to $2.2 million in illegal revenue each month.
The good thing for businesses is that formjacking is easier to defend against then these other major threats.
“The most important thing is to make sure you run a system from a device with robust end point protection on it,” Arandjelovic indicated. “Basic old IPS capability works effectively against this. There’s always some risk, because the attackers fine tune their code. But it’s mainly old unsecured sites that are most at risk.”
While British Airways and Ticketmaster were hit by formjackers last year, those kinds of enterprise breaches are also less common.
“It’s the small and middle-sized vendors, like small flower shops, that are more vulnerable,” Arandjelovic said. “Solution providers can minimize the server side risk of these code injections if they bring the issue to their customers’ attention and ensure they are adequately protected.”
Symantec recorded that cryptojacking fell by 52 per cent in 2018 – but there are a few catches here.
“Cryptojacking was all the rage last year,” Arandjelovic noted. “It was a surreptitious way to get a footprint on a client, quietly mining cryptocurrencies using their machines and power. It’s an easier way to make money than holding people up for ransomware. However, in the middle of last year, cryptocurrency prices dropped massively, to be worth between 10 and 30 per cent what they were before. That’s why the criminals jumped on formjacking as their new get-rich-quick scheme.”
The concern is that as market forces reduced cryptojacking, changed market forces could cause it to come back.
“We don’t expect to get to $20,000 bitcoins again but a spike in their value would likely change cryptojacking’s popularity, although defenses against it did improve during the year as well,” Arandjelovic said. He also noted that while cryptojacking fell during the year, Symantec still blocked four times as many attacks in 2018 compared to 2017. An advantage for the cyberciminal is that this area has a low barrier of entry and minimal overhead.
Ransomware also declined in 2018 – by 20 per cent overall – but again, for businesses, there’s a catch.
“There has been a shift in attacks, from consumers to companies,” Arandjelovic said. “While two years ago, a majority of attacks were against consumers, last year, 80 per cent were against companies, and those attacks were up by 12 per cent. So companies can still expect to be targeted.”
Arandjelovic noted that ransomware is still the threat that alarms customers the most, but said that the industry has done a good job in countering it.
“A huge piece of reason for the decline has been the improvement of defenses,” he said. “It’s a lot harder to carry out now, so that the attackers have moved to find more lucrative paths. Storage moving to the cloud has also helped. When people backed up to a physical location, it made it easier to get them by the neck. The ability to back up to the cloud and do instant restore makes it harder for the attackers.”
Canadian stats are available in the report, although they are generally on a line with the U.S., and don’t highlight any particularly Canadian-centric vulnerabilities. Canada ranked 20th globally for overall cybercrime, measured by phishing, malware, bots, web attacks, network attacks, and spam. We ranked 16th for malware with 1.4 per cent of global malware. Phishing was the highest-ranking category – in a ranking system where coming in last is better – 7th globally, with 2.2 per cent of reported attacks. In terms of cryptomining, Canada was 8th, with 3.3 per cent of incidents. Canada was lower in ransomware, 26th, with .71 per cent of incidents.