January 15, 2016 By Limor Kessem 9 min read

A Look Back at Cybercrime in 2015

Cybercrime in the past 12 months has been nothing short of epic. Never before have we borne witness to the magnitude or sophistication of online crime as we did in 2015.

In the 2015 Cost of Data Breach Study by IBM and the Ponemon Institute, the average total cost of a data breach increased from $3.52 million in 2014 to $3.79 million. Another study said cybercrime will become a $2.1 trillion problem by 2019. That’s only three years away, and judging by the way things are going, we might get there sooner than we ever imagined.

Early in the year, IBM Security forecasted some trends we expected to see in 2015. They included:

  • Cybercrime breaking borders;
  • Rising card-not-present (CNP) fraud;
  • An escalation in the sophistication of mobile threats;
  • Wide use of anonymity networks and stronger encryption;
  • Burgeoning fraud methods for new payment schemes; and
  • Biometrics becoming a target.

These predictions not only materialized, but actually exceeded the forecast. We expect things to get very intense in 2016 as more organized crime groups step up their presence in the digital realms.

Predictions for 2016

Here is our prediction roundup covering financially motivated cybercrime for the year ahead:

Organized Cybercrime Will Shift Focus to Businesses

Although we can safely say that we see escalation in cybercrime every year, 2015 was definitely a year that stands out with respect to the scale of crime we observed.

While it has been a gradual process, 2015 was the first year we saw organized cybercrime really exert its power in the digital realms. These mobs are headed by crime bosses that have troops on computers and on the streets, collecting money from mules and wiping the digital traces of their ill-begotten profits.

It’s important to keep in mind that when we talk about organized cybercrime today, we are not fighting lone attackers or small factions of fraudsters anymore. Rather, we now face full-blown organizations that are organized like startup companies. They are not manned by youngsters; they employ highly experienced developers with deep knowledge that allows them to bring constant innovation into malware and attack tactics. Thus, it is no surprise that, according to CSO Online, the average age of a cybercriminal is 35 years old. Additionally, 80 percent of black-hat hackers are affiliated with organized crime, working as part of closed groups.

These organizations also employ criminals other than attackers to help with the collection and moving of stolen funds, mobilizing it on the streets and laundering it along the way.

Based on research that exposed the likes of Carbanak, Dyre Wolf or the Shifu Trojan, it seems that cybercriminals have never been more brazen and bold in their attacks. They are stealing millions of dollars at a time compared with a five-figure magnitude in the years prior.

The top offenders in the corporate fraud arena are Dyre, Dridex, Rovnix and Shifu. In 2016, we expect to see that trend persist, intensify and spread to more organized malware gangs. We also expect to see these gangs venture into new territories, as they had been doing throughout 2015.

More on the malware front, we predict malware adjusting attack scenarios and methods in order to circumvent the security that banks have in place. One example is the use of remote admin tools (RAT) in conjunction with a banking Trojan in order to access devices attached to the endpoint. In 2015, the Dridex Trojan used that method in some of its attacks.

We also saw nonmalware device takeover, where Trojans downloaded and deployed legitimate remote assistance software and then leveraged it in fraudulent activity from the victim’s device. Dridex tested this method in September 2015.

Financial cybercrime will also intensify on the targeted attacks front. In this case, we are not looking at botmasters that amass an army of zombie PCs but rather financially motivated black-hat groups that make it a top priority to target the financial institution as a high-value enterprise. Groups like Anunak are made up of cybercriminals who take on digital crime projects that can generate hundreds of millions of dollars at a time. This group was reportedly behind the Carbanak heist and similar attack sprees before it.

Advanced adversaries are already carrying out sporadic integrity attacks. These are cases where sophisticated attackers breach the systems of enterprises and corporations with the purpose of altering data that the organization relies on. Changing the data can make the organization base decisions on incorrect information or automatically pay out invoices into the wrong accounts — those that belong to the criminals! In 2016, we expect to see more integrity attacks and see these cases cause heavy losses to the victim organizations.

Learn more about Staying ahead of threats with global threat intelligence

Mobile Threats Will See a Quantum Leap in Fraud Capabilities

We believe this year is going to bring the game changer we’ve been expecting to discover in the mobile threats arena. Late 2015 showed the first signs of mobile malware for Android that was able to materialize the effect webinjections have on users in the PC browser: overlay malware.

Overlay malware apps are one-stop fraud facilitators that steal user credentials and SMS two-factor authentication codes — right on the mobile device and at the same time. It is an account takeover facilitator par excellence, and it is quite effective.

This new type of malicious app, the likes of GM Bot and FakeLogin, are being sold commercially in underground cybercrime venues by a few developers who program special pop-up windows carefully adapted to the look and feel of bank applications, e-commerce apps and payment platforms.

In a sense, the public sale of mobile malware in the underground in 2016 will fill the vacuum left by the banking Trojan marketplace, which has dwindled away in the past five years. Mobile malware will become commoditized in every aspect of operating a mobile botnet. Vendors offer cybercriminals the option to buy the software they need, resources to operate it and technical support they require in order to succeed in their schemes.

The burgeoning overlay malware trend is especially worrying because it enables criminals to take advantage of user trust in bank applications and thus steal credentials on the mobile device when the user is already accessing the relevant app.

Overlay malware is often bundled with spyware and RAT-type apps, making it much more invasive and risky to the infected users because the app exfiltrates more information from the device and allows for remote commands from the attacker.

Some factors driving these threat advancements in the mobile platform include the inherent open-source and decentralized nature of the Android platform and its maturity level. These can make for gaping security holes that are unearthed by researchers on a regular basis. Some argue that the Android OS is simply not a trusted environment for apps to run in — at least not yet, and especially since the responsibility for applying patches and updates is, for the most part, left to users.

It would seem the more prudent approach would be to have security come from within the apps themselves, relying less on the actual platform’s security. Moreover, with Windows 10 planning to converge across all devices, the acceleration of malware crossing over to Windows phones is almost guaranteed.

Cyber Extortion Will Proliferate and Escalate

From ransomware to other kinds of cyber extortion, cybercriminals saw their nefarious ventures soar in 2015. The Cryptolocker gang reportedly managed to gross over $30 million last year, proving that even the simpler malware in the wild can make criminals rich.

Organized cybercrime gangs know ROI when they see it: More advanced groups have stepped into the ransomware arena in 2015, building stronger, virtually unbeatable malware that forces victims to pay up.

In 2016, we expect to see more ransomware groups and a higher scale of ransom demanded of victims, especially if the infected endpoint belongs to a business. We will be seeing cases where ransomware gangs hold business endpoints for a five-figure ransom.

Aside from using malware to encrypt files, we also expect to see the proliferation of cyber extortion groups and methods. Black-hat attackers may demand ransoms to halt DDoS attacks or approach businesses with demands for cash after hijacking critical data from company networks.

Take, for example, the case of the TalkTalk ransom fiasco. The U.K.-based telecom group fell victim to a group of criminals who gained access to the personal and financial details of up to 4 million customers. The initial ransom demand was £80,000. The ensuing damage to TalkTalk, including customer impact and lawsuits, could cost the company up to £35 million in “one-off costs,” the business’s chief executive said.

In 2016, we predict digital ransom attacks will become more prevalent and sophisticated by being more situationally aware — understanding victims and recognizing when attackers can fetch a higher ransom. We expect this trend to leverage the significant rise of bitcoin since it is the currency that criminals prefer, trusting the anonymity it affords them in ransom situations.

The Rise of Machines and Connected Things

Rise of the machine… learning! Security professionals are inundated with millions of security events. According to IBM’s 2015 Cyber Security Intelligence Index, companies experienced an average of 81 million security events in 2014. Identifying false positives is getting more difficult as we process more data and strive to make timely, quality decisions based on insights from that data.

In 2016, cognitive computing will become a security assistant to help security professionals and data analysts cut down the noise to focus on the real threats and benefits to their organizations.

On the Internet of Things (IoT) front, we expect an increase in nontraditional attack targets. We’ve already seen cars, TVs, baby monitors and gaming platforms get compromised. We will see an increase of attacks on these IoT devices.

The Dark Web Get More Popular and Less Exclusive, Driving New Criminal Locales

With all the attention from its closed fraud enclaves and TV shows such as “Mr. Robot” and “CSI: Cyber,” the Dark Web will become less exclusive. The Dark Web is no longer the sort of venue that attracts the most advanced cybercriminal crowd. As curious, unskilled users flock to learn about the Dark Web, we anticipate it will become even more devalued for the more experienced cybercriminals, driving them further underground. Don’t be surprised when the real criminals switch over to a completely new communication channel in 2016!

Beyond the existing Dark Web, the Russian-speaking venues, English-speaking zones and the Latin American underground, we anticipate the rise of new isles in Asia. For example, judging by recent events, the Japanese-speaking zones will see rising sophistication as the year progresses.

Card Fraud Will Witness a Shift to CNP Fraud

Card fraud is a global problem that keeps escalating. This statement remains true even as chip-and-PIN technology is being rolled out in almost every first-world country. It’s clear that criminals are not ready to throw in the towel and give up on counterfeiting altogether despite the added hurdles they encounter in that domain.

Chip-and-PIN, or the Europay-Mastercard-Visa (EMV) standard, is designed to protect cards from counterfeiting and fraud in physical scenarios. Yet this security measure is under constant attack and is also leading actors to intensify fraud in the digital channels.

Since counterfeiting is that much harder with chip-enabled cards, the result is a dollar-for-dollar displacement from counterfeiting fraud to card-not-present (CNP) fraud — transactions processed online, over the phone and via mobile payments.

In 2015, EMV was attacked in some creative ways. Tools for EMV replay attacks were for sale in underground boards and designed to facilitate cloning chip-protected cards issued by banks that were not checking all the relevant EMV transaction parameters.

Figure 1: Vendor post from an underground forum selling malware that can purportedly enable cloning of chip-enabled payment cards where EMV protection is static.

Criminals also preyed on the chip technology itself to break trust and the security embedded into payment cards. In late October 2015, a team of French researchers completed their analysis of the techniques of a criminal ring that, in 2011, managed to steal $680,000 using modified EMV cards. The researchers were amazed at the sophistication of the man-in-the-middle (MitM) attack. We expect to see more crafty attacks on EMV technology in 2016 as criminals continue to push for a way to exploit this payment method.

Point-of-sale (POS) malware is also expected to push for more modularity and sophistication. This escalation will result from well-funded gangs investing in the development of POS malware. After seeing the proven success of POS malware in the past few years, organized cybercrime will not hesitate to invest in building this sort of malware, and we forecast seeing more persistent, stealthy and highly modular POS malware in 2016.

On the more physical side of carding fraud, we expect to see the use of skimmers die down. Instead, be prepared for a rise in the use of shimmer-type devices that can record the card’s magnetic stripe and its chip data.

Biometrics Used for Fraudulent Authentication

Many organizations are already looking to biometrics-based solutions to better authenticate customers and provide them with services in a more secure manner. While biometrics is a more advanced identifier, it is still being stored and managed on the same hardware that can be breached by cybercriminals.

Furthermore, biometric data has not yet broadly seen adequate security or safe processing applied to its repositories. For example, the U.S. Office of Personnel Management (OPM) breach resulted in the theft of 5.6 million fingerprints, and the biometrics were stolen alongside extensive data on each person.

Biometric data is also being traded in ways that its owners never intended. For example, DNA data from newborn blood samples in California was sold to third parties. How was that data transferred to the buyers? Did the parents know the data was being sold? How is that data being protected by the third parties who bought it, and who else can they sell it to?

We expect to see biometric data exploited in fraud scenarios in 2016. Overall, biometrics requires adequate security and processes in order to materialize its promise as better authentication.

One example is voice biometrics. Voice biometrics is the most mature and widespread biometric identification model at this time. To guard its authenticity, security researchers and developers will have to consider mobile malware that can intercept calls, record voices and exfiltrate voice samples to an attacker. The possibility that voice patterns can be stolen means that we cannot trust voice biometrics as the sole authenticator of the genuine customer.

Cybercrime and Nation-State Attacks Continue to Cross-Pollinate

In 2015, we started seeing the emergence of targeted attack tools and methods in the realms of financially motivated cybercrime. Phenomena like signed malware, which was first discovered when the Stuxnet worm was exposed, became an everyday occurrence with banking Trojans, POS malware and even ransomware.

Cybercriminals picked up concepts used by threat-actor groups such as leveraging a poisoned remote assistance tool for remote-controlling infected endpoints and using them against businesses.

The Hacking Team leak potentially catalyzed black-hat capabilities in the cybercrime arena in 2015, allowing criminals to obtain rare and effective exploits to use in their everyday schemes. The leak reportedly facilitated the work of Chinese cybercriminals who targeted a financial firm in the U.S. by using exploits leaked from that same breach.

view on-demand

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today