Cybercriminals have come up with new ways to extort money and steal data. They are combining breached data with personal information in phishing attempts; using ransomware-like tactics to access computers for cryptocurrency mining; and hacking into home networks through smart devices.
Those are just some of the new threats, according to IEEE Member Kayne McGladrey, a cybersecurity expert. He’s the director of security and IT at Pensar Development, a design company in Seattle that provides product design, electrical, and software engineering services.
In this interview with The Institute, McGladrey describes the attacks in more detail and provides tips on how to prevent them.
PHISHING AND MINING
Cybercriminals are conducting a worldwide extortion campaign by emailing people, claiming to have hacked their webcam while they were watching an adult video and asking for hush money in the form of virtual currency. The email contains the victim’s password or the last four digits of the person’s cellphone number, adding legitimacy to the threat. The password is not from the current breach, but likely from a previous hack, McGladrey says. That’s because people tend to reuse passwords. And the cellphone number probably was stolen from breaches of eBay, PayPal or a similar company, or from a compromised application that sent a text message to verify a person’s credentials.
When such threat actors, as McGladrey calls them, find someone willing to pay the ransom, they demand payment in Bitcoin or a similar virtual currency.
“The threat actors are doing this scam at scale because it’s easy to automate,” he says. “After last year’s ransomware attacks, criminals recognized it was really easy to play a confidence game on people.”
Another way hackers are making fast money is from cryptocurrency mining—also known as cryptomining—the process of solving complex math equations to verify digital transactions. Miners can get paid for their processing power in a cryptocurrency. It can be a lucrative business: Early this month, 1 bitcoin was worth nearly US $7,400.
Mining—especially of Bitcoin—requires a lot of computer processing, so the hackers, called cryptojackers, get unauthorized access to other machines by sending victims a malicious link via email or in an advertisement. When a victim clicks on the link, the computer downloads a cryptomining code or script unknown to the end user, and it becomes part of a mining pool owned by the cryptojacker.
Unlike other types of malware, the scripts don’t damage the computer, but they can cause the victim’s electricity bill to skyrocket and CPU processing time to slow down. For organizations such as hospitals that run mission-critical programs, cryptomining can have serious repercussions, McGladrey says.
“By vastly degrading machine performance, the malware is posing a clear and present threat and putting lives at risk,” he says. “It could, for example, take much longer than normal for emergency room doctors to get results of an X-ray or MRI.”
The number of smart connected devices in homes is growing—which means more opportunities for hackers, McGladrey says. Most homeowners don’t realize their systems have computing capabilities. Most also don’t think threat actors would be interested in their home’s network, but they are, McGladrey says, because it’s a perpetual resource for them.
The wireless router is especially critical because it’s the hub that connects all the smart-home devices. If hackers are able to compromise the router, they easily could spoof a bank’s website and steal banking credentials. Hackers sometimes gain access to devices such as a smart light bulb, then use that as a jumping-off point to infiltrate the rest of the home network.
By intercepting a connected home camera, a hacker can conduct surveillance and gain access to live video and audio feeds. Compromising photos can be taken, and burglars can know when the owners are away. The devices compromised by such attacks also can be harnessed to conduct distributed denial-of-service attacks outside the home, such as the 2016 DNS attack.
WAYS TO PROTECT YOURSELF
McGladrey offers the same security recommendations to individuals and homeowners as he does to large companies: Keep your security software up to date. When a security patch is released, install it immediately. And don’t reuse passwords.
Also change the default password that comes with a new router or other device, because hackers can learn those passwords by searching the Internet.
There is no virus-scanning software for smart-home devices such as Amazon’s Echo, so McGladrey recommends buying a home network inspection device, which regularly checks for intrusions on smart televisions, tablets, printers, and other connected items. Several recently released routers from well-known security firms incorporate such functionality.
MORE EXPERTS NEEDED
Another way to thwart cyberattacks is to increase the number of cybersecurity experts, McGladrey says. According to the 2017 cybercrime report from the Herjavec Group, cybersecurity firms estimate such crimes are going to cost about $6 trillion annually by 2021. Companies are experiencing shortages in qualified applicants for cybersecurity jobs. The U.S. Department of Commerce estimates there are now about 350,000 unfilled positions, and that number is only going to increase. McGladrey says.
One way to fill such jobs, he says, is to encourage more women and people from other underrepresented groups to apply. Women hold only about 11 percent of cybersecurity jobs worldwide, he notes.
“We as a society need to do better about being inclusive and encouraging individuals from different backgrounds to get into cybersecurity,” he says. “There is a perception that you have to be from the best engineering schools, and you have to fit a certain profile. I think that is unfortunate because it’s forcing a lot of people who are very talented and who would be good and valuable contributors to look at other careers.”