Cyber threats aren’t going anywhere. They’re here to stay, and they’ll do whatever they can to tear apart your digital existence.
In that sense, there’s nothing you can really do. You have to sit there and deal with the never-ending flow of malicious online activity.
However, how you deal with these threats is something you can control.
You can either be a helpless digital victim or not. That’s completely up to you. But if you’re leaning more towards not being one, then you’ve come to the right place.
Here are 6 of the most common cyber threats, how they play out in real life, and a few simple suggestions on how to avoid them.
Phishing is one of the most common cyber threats of the 21st century. And unfortunately, it’s also one of the most effective cyber threats. It’s something we’ve all seen and something we will continue to see for years down the line.
Typically, phishing is a malicious email designed to dupe individuals into dropping standard security procedures. However, it’s important not to be misled — phishing isn’t limited to just your inbox. These attacks can also be carried out over the phone, in person, or even through a text message — email is simply the most common form of phishing.
When a phishing attack is played out, an email is sent by a person (or group of people) pretending to be someone or something else (like a person within your organization or a large company like Geico or PayPal). The goal of this email is to retrieve sensitive data — whether that be social security numbers, login credentials, or banking information.
Netflix and Phish
Think of phishing as nothing more than an intricate web of lies — which in some cases, is so believable that you almost can’t not be duped by them.
Consider this particular phishing attack that Wired Magazine says is “the devious Netflix phish that just won’t die.”
This attack played out again and again during 2017 — dating as far back as January. Users would receive an email claiming to be from Netflix, and they would be told that their account has been suspended due to outdated or incorrect billing information.
In this case, both the email and the landing page were well-designed — which makes the attack incredibly hard to ignore. But not only is the collateral believable … the idea itself is rather believable. Outdated billing information isn’t a far-fetched idea. It’s not like the email is asking you to hand over your social security number and your last three tax returns.
This being said, how do you avoid a phishing scam of this caliber?
Let’s not go phishing.
Luckily for you, most phishing scams won’t be like this. Typically, if you just take your time, they’re pretty easy to spot. Here’s what you need to look for:
- Is everything spelled correctly?
- Is the grammar on the level you would expect it to be on?
- Does it come from a reputable source?
- Are the links correct?
- Would this person or company normally send something to download?
For a situation like the Netflix scam, however, you’ll need to dig deeper. At this point, you’ll need to ask yourself:
- Can this request be verified?
- Does this make sense?
- Would this company or person normally ask this of a person?
- Do these requests typically happen at this time (season, day, hour, etc.)?
If you’re unsure and want to take extra precautions, you can always directly go to the site, log into your account, and figure things out from there. If it’s a person (as opposed to a company), a quick 2-minute phone call verifying the request is ideal.
Social engineering covers a broad spectrum of cyber threats (like phishing), but not all of these threats are technically in the cyber realm.
Basically, it’s when different tactics are used to manipulate people into handing over sensitive data. Except, unlike phishing, social engineering can be something like baiting, pretexting, or even an extravagant in-person skit.
I’ll do anything for a box of chocolates.
You might be confused. How does a cyber threat extend beyond the digital realm? Well, it’s important to remember that to bypass security measures, you don’t always have to be sitting behind a computer in a dark basement.
Sometimes, all you need is a mixture of charm and acting skills — like a man did in Belgium back in 2007.
This man was able to steal over $27 million worth of diamonds and gems from a bank’s safety deposit boxes — and all during regular business hours. He simply brought in a few boxes of chocolate and a heavy dose of charm and was able to manipulate employees into giving him data, keys, and other sensitive details surrounding the diamonds.
Introverts for the win.
Keep in mind, social engineering doesn’t have to be something straight out of a movie. It can be something a bit more “low-key” than that. It could be a man who calls your company pretending to be from your ISP, or it could be an infected USB flash drive intentionally left on your desk.
Basically, it could be a whole mess of things. So in this particular instance, you need to err on the side of caution. Here are a few tips to help you out:
- Remain skeptical of everything. Never hand over information to anyone without some sort of verification. It’s always a good idea to develop internal procedures for handing over sensitive data to external (or even internal) sources.
- Be wary of any devices laying around. You never know where those devices have been or what those devices have been infected with.
- Whether someone calls you on the phone, sends you an email, or addresses you in person, never drop standard security procedures. Remain calm and carefully (and slowly) assess the situation.
As a child, did you ever play a game of Keep Away? Maybe another kid camped out in between you and a friend as you threw a ball back and forth. As the ball passed between you and your friend, the other kid tried to jump up and grab the ball.
Well, that’s kind of how a man-in-the-middle attack works. A cybercriminal camps out in between data and intercepts it as it’s passed between multiple sources.
In some cases, this data can be intercepted without either party ever knowing it’s been intercepted. It can even be manipulated or altered in the process — like if you received a letter in the mail but your friend rewrote it before you had a chance to open it.
A drop in the bucket.
Think of man-in-the-middle attacks as a sophisticated version of eavesdropping. Cybercriminals can sit in front of their computer screens, gain access to your devices in some way, and lay in wait for you to transfer sensitive data.
A few years back, a group of cybercriminals used this digital eavesdropping technique to hijack 6 million euros from a handful of different companies in Europe.
Over a period of time, this group of digital thieves continuously monitored communication inside these European companies. When they saw anything that related to payment requests to those clients’ customers, they would hijack the conversation and request the payment to be sent to another source.
Eventually, the group was taken down — but that was only after millions of euros had already been stolen.
Can I get a little privacy, please?
Man-in-the-middle attacks often employ a variety of tools to have the ability to “lay in wait.” For example, the group who stole 6 million euros used social engineering and various forms of malware to get where they wanted to be — in between companies and their clients.
However, man-in-the-middle attacks can hijack different “venues” — for example, your email, your Wi-Fi, or even a connection between you and a specific website. Because of this, you need to be extra careful with how you secure your devices — in this case, you can’t rely on skepticism to protect you. Here’s what you need to keep in mind:
- Stay away from websites that aren’t completely secure. Look for the lock symbol or “https” (as opposed to “http”).
- Be wary of public Wi-Fi connections. There is such a thing as fake Wi-Fi hotspots, and these things can do a lot of damage.
- Make sure your router and Wi-Fi connection are properly secured and make sure you’re relying on a layered security solution to protect your inbox, mobile devices, and browsing sessions.
In 2016 and 2017, malvertising was a big deal. It was the cool cyber threat on campus because it could affect major websites and infect thousands of end users with no click or download necessary.
Basically, it was (and is) a big black hole of nothing good.
Cybercriminals buy up ad space on a website and insert malicious code into that ad (hence the term “malvertising” — malicious advertising). In some cases, that code can infect a person’s device free of any action (a user doesn’t have to click on the ad to become infected). But in other cases, the user does have to click on the ad — and when this happens, the user will be infected with some form of malware (usually ransomware).
You can run (from your browser), but you can’t hide.
Although malvertising has recently affected major publications (like Daily Mail, ESPN, and New York Times), Spotify had an embarrassing (and rather interesting) run-in with this particular cyber threat back in 2011 (before malvertising was even popular).
Spotify allows you to download a desktop version of its web app. In 2011, users who had this desktop version and a free subscription to the service were subjected to malvertising. This was interesting to people in the cybersecurity industry because this was the first notable time malvertising left the browser and dropped into software.
Free users were infected by this malware whether they clicked on an ad within the software or not. The malware downloaded on its own and caused major problems for end users.
Think before you click … or is it click before you think?
Malvertising is interesting because it works in two very different ways.
In one instance, it does want you to click on the ad. When this happens, you’ll more than likely be infected with some form of ransomware. Consider this another type of social engineering, and it’ll play out in a similar fashion. Manipulative content dupes you into clicking on malicious code, and — bam — you’re infected.
In the other instance, malvertising wants to run its course free of clicks or downloads. To do that, your device, browser, or software running on your computer needs to be outdated and vulnerable to external threats. At this point, it exploits components of your device to get inside of it somehow.
With this being said, here are a few must-have tips for malvertising:
- Be wary of all ads — especially if they’re too good to be true. In other words, think before you click.
- Make sure your computer (and everything running on your computer) is up-to-date at all times. Your browser, in particular, should be a top priority.
- Keep your security layered and advanced. Malvertising (and the nasty malware is can lead to) are intelligent … you need intelligent security if you expect to avoid infection.
Ransomware has morphed into this uncontrollable monster that businesses everywhere fear. It sneaks up out of nowhere, hijacks your data, and forces you to pay for something that was already yours to begin with.
But how exactly does it work?
Unfortunately, the answer to that is not so simple. There are a variety of ways a user can become infected with ransomware — by downloading it, visiting a corrupt website, being exposed to malvertising, or opening an email attachment. But once it’s in, it’s in.
It can remain dormant in your system for days or even weeks and come out to play when you least expect it. While there are different strings of malware, each string works in a similar fashion. They wiggle into your system, encrypt your data, send you a notification detailing the infection, and then provide payment instructions.
Unsuspecting college kids or critically ill patients?
When ransomware first debuted, it was a pretty big fan of hospitals. It seemed like hospitals were hit by ransomware every other week. But now, it’s redirected its attention towards universities.
Last June, the University of Calgary was hit by ransomware, and they had to pay over $16,000 just to decrypt their emails. While this may not seem like that big of a deal — it’s not sensitive patient records or credit card numbers — there’s no telling how much hard-to-recover data or in-progress work is wrapped up inside those email accounts.
Without the proper support and data backup solution in place, paying the ransom fee is often a much easier, quicker, and cheaper solution. Sad, but true.
Don’t stop there.
Again, ransomware isn’t a simple string of malware. It’s manipulative, employs a variety of tactics to get where it wants to be, and highly intelligent. Because of this, you can’t install a run-of-the-mill antivirus solution and expect everything to be okay.
Instead, it goes a bit further than that …
- You need a layered security solution — one that protects your inbox, browser, servers, and everything in between.
- You need the right proactive support. Part of ransomware’s success is that it’s relatively new. A managed security provider can keep your security layered and modern.
- You need to keep everything up-to-date at all times. The more components that are missing patches or updates — like your browser, applications, or plugins— the more of an opportunity there is for vulnerabilities to exist. And ransomware will happily use those vulnerabilities to get into your network.
- You need to train your employees on cybersecurity best practices. If they don’t know what to look for and what to avoid, then you’ll never be able to avoid ransomware. It’ll only be a matter of time before someone clicks or downloads the wrong thing.
6 Drive-by Downloads
At this point, you’ve probably noticed that many of the cyber threats on this list piggyback off of each other. In other words, one uses the other to get somewhere or two go into the ring at the same time to do some major damage. Drive-by downloads are definitely guilty of this.
These bad boys hide out in websites, wait for users to click on by, and then execute some type of code-driven attack. Now, keep in mind, these websites don’t have to look malicious to be malicious — it can be any website. As Heimdal Security puts it … it’s not like “website owners want to imperil their visitors.” It’s “because software is not flawless and websites get hijacked.”
And you’re infected, and you’re infected, and you’re infected …
Again, take any example of ransomware or malvertising and you could probably attach some form of a drive-by download to it — consider what happened to WordPress last year.
Stuck on repeat.
If you’re starting to feel as if some of the information is stuck on repeat, that’s because it is. Again, you have to remember that these threats all work together. So when it comes to drive-by downloads, you’re not about to hear anything new.
But hey, let’s go ahead and cover it again anyways.
- Stop relying on that free version of antivirus you downloaded off the internet. Drive-by downloads (and everything that works with it) rely on a handful of malicious techniques to take advantage of you. In other words, you need multiple layers of protection.
- Keep everything up-to-date and don’t allow a vulnerability to exist if it doesn’t have to exist. Never postpone an update and routinely check for any outstanding updates.
- While malicious code can exist on pretty much any site, it’s best to contain your sensitive browsing activity to protected sites (look for the lock).
These 6 cyber threats barely touch the surface of the malicious online realm. In fact, there are a handful of other threats that are just as common and just as dangerous. There’s spear phishing, fake Wi-Fi hotspots, brute-force attacks, and a good ol’ denial of service. And then let’s not forget employees — that’s one threat you don’t want to overlook.
So if you’re looking for more cyber security tips and tricks, take a look around our blog. There’s plenty more content where this came from.