Cybercrime: Smarter, Bigger, More Sophisticated – But By No Means Invincible

Cybercrime is an enormous industry. And when there’s that much money involved, criminals are motivated to invest substantial time and money in ripping people off. When they’re ripping off businesses, non-profit organizations, and government agencies, they’re driving up costs for everything we all buy and do. And, of course, millions of ordinary people have been victimized directly by cybercrime – whether it takes the form of ransomware, phishing attacks that compromise their financial accounts, or criminals hijacking their computer’s power to “mine” cryptocurrency.

Since there’s still no single reliable source of data on global cybercrime trends, it’s difficult to know just how immense the losses are. But they are unquestionably massive. Two reputable estimates will make the point.  In 2018, partnering with a security vendor, the nonprofit researcher Center for Strategic and International Studies (CSIS) estimated the overall cost of cybercrime at $600 billion. That would make cybercrime the third largest type of crime after government corruption and narcotics trafficking.

If CSIS’s figure is correct, this represents 0.8% of global GDP: a pretty sizable tax on all of us. But an even higher number comes from the global consulting firm Accenture, which recently told business leaders that cyberattacks will place $6.2 trillion in economic value at risk over the next five years. For the world’s largest 2,000 companies, that translates into 2.8% of revenues – and in some industries, it’s much higher.  

At ground level, we’re seeing significant shifts in the threat landscape as it affects both individuals and businesses. As we noted in our most recent Threat Report, as “less skilled cybercriminals are being forced out of business, the fittest among them step up their game to survive and we’ll eventually be left with fewer, but smarter and stronger, adversaries.”

The criminals still use off-the-shelf malware. And there’s plenty of it out there: phishing kits, loaders, customizable infected Microsoft Office files, trojans, keyloggers, zero-day exploits, ransomware-as-a-service offerings, and more. (Deloitte’s December 2018 survey found that it’s still technically possible to start your own cybercrime business for under $40 a month, using tools they can buy or rent in a large global online black market.) But the most effective criminals are complementing off-the-shelf tools with sophisticated manual hacking techniques that were previously used primarily for industrial or government espionage or sabotage.

Sophos’s 2019 Annual Threat Report found that cybercriminals are also becoming more sophisticated about “living off the land” – using tools and resources they find on the devices they attack. Most often, those devices are running Windows, which includes high-powered administrative and management tools such as PowerShell, WMI, and the Windows Scripting Host. Often, attackers trigger complex chains of scripts that operate in multiple Windows processes, and leave few traces. This means defenders can’t rely on traditional methods – so Sophos Home Premium relies on machine learning to recognize when a computer’s behaving anomalously, even if it’s using Windows’ own components to do so.

As machine learning grows more ubiquitous, of course, we’ll have to respond to cybercriminals who’ll also use it. Some researchers believe machine learning will help criminals discover more zero-day attacks that don’t yet have defenses against them, create more convincing personalized phishing attacks, discover users’ passwords more effectively, and evolve botnets in ways that are harder to counter.

It’s easy to imagine that all the news is bad. As we’ve implied, though, we don’t see it that way. Criminals have been forced to jump through more hoops because we’ve collectively improved our defenses. More than half of websites and 80 percent of network traffic is now encrypted – and that’s major progress. Best of all, even today, many of the basics still go a long way towards keeping individuals safe. That means: keep your systems updated and patched, use sophisticated security software like Sophos Home Premium, run your computer without administrator privileges, don’t share personal information with strangers, and don’t click where you shouldn’t.