Cybercrime is on the rise and the criminals are finding new ways to attack us.
The 2015 Internet Security Threat Report from Symantec (makers of Norton security software) released on Tuesday characterizes 2014 as a year with "far-reaching vulnerabilities, faster attacks, files held for ransom and far more malicious code than in previous years."
- More than 317 million new pieces of malware were created last year, nearly a million a day
- Ransomware attacks grew 113 percent
- Crypto-ransom attacks, where the victim’s files are encrypted and held hostage without warning, skyrocketed 4,000 percent to become a serious threat
- 70 percent of social media attacks rely on the initial victim to spread the threat to others
"The criminals are getting better," said Kevin Haley, director of security response at Symantec. "Success breeds success and other criminals want to get into the game, so we need to step up our game in terms of protecting our information and keeping it safe."
Data breaches continued to be a significant issue with a 23 percent increase reported last year. And remember, 2013 was a huge year for breaches.
Many of these breaches result from targeted attacks. While large companies are still a prime target, 60 percent of all targeted attacks struck small and medium-sized companies last year.
These smaller firms have less money to spend on security and Symantec found that many still haven’t adopted basic "best practices" such as blocking executable files and screensaver email attachments. This puts both the targeted firms and their business partners at higher risk.
Spear-phishing continues to be a highly-successful way to infiltrate corporate computers. These targeted emails are designed to look like they came from someone inside the company or from a trusted business associate.
It seems the hackers are getting better at crafting this key malicious email. They sent fewer messages (down 14 percent) to fewer targets (down 20 percent) and yet breaches resulting from these spear-phishing attacks grew 8 percent last year.
Five out of six large companies in the U.S. (with 2,500 or more employees) were targeted with spear-phishing attacks in 2014, a 40 percent jump. These attacks also increased dramatically at small and medium-sized companies.
And there’s a new threat: what Symantec calls "trojanized" software updates. With these attacks, the hackers hide their malicious code inside software updates for programs commonly used by the company they've targeted. When the victims download and install the software update, they infect themselves.
Attackers are moving faster
One way to measure this war between hackers and their targets is through so-called "zero-day vulnerabilities." These are software security flaws not yet detected by the manufacturer, users or cybersecurity firms.
When hackers discover a zero-day vulnerability, they race to exploit it before there's a patch. But the reaction time from software vendors to roll out that patch is not keeping pace with the attacks themselves.
Last year, it took 204 days, 22 days and 53 days to create patches for the three most-exploited zero-day vulnerabilities.
"That's way too long," Symantec's Kevin Haley told NBC News. "Hopefully this is just an aberration and we take the lessons from last year and apply them to this year and see those numbers go down."
Another chilling finding: The attackers have various ways to hide inside corporate networks without being discovered. They know how to trick anti-malware tools and disguise their true intentions if discovered.
Symantec reports that while investigating a known breach, its incident response teams often find additional breaches that have gone undetected, and are still in progress.
Attacks are moving to new platforms
Cybercriminals still favor email for the bulk of their dirty work, but the shift is on to social media because it's so effective. Most people are more willing to click something posted by a friend, so this is a very easy way to quickly launch an attack.
"We do the work for them," Haley said. "They only have to infect one of us and it quickly cascades to our friends and their friends, and so on."
Malware is already part of the mobile landscape and it is likely to grow, since many people still believe cyber threats are limited to PCs and ignore basic security precautions on their smartphones.
Symantec found that 17 percent of all Android apps available last year — that's nearly a million different mobile apps — were actually malware in disguise. The first piece of mobile crypto-ransomware was discovered on the Android operating system in 2014.
There are a variety of free security apps for Android phones. Many come with anti-virus protection.
Looking ahead, we can expect criminals to exploit the Internet of Things. The use of smartphones to control all sorts of network-connected devices, from door locks to hot water heaters, will provide hackers with more access points for their attacks.
The report warns that "the potential for cyberattacks against cars and medical equipment should be a concern to all of us."