Feedback
Tech

The Year in Cybersecurity: 5 Threats to Watch in 2015

Image: People in the audience are illuminated by the screens of their laptop computers.

People in the audience are illuminated by the screens of their laptop computers. David McNew / Getty Images file

Scary cybersecurity news dominated the headlines constantly this year, with breaches, bugs and attacks involving Home Depot, Heartbleed, iCloud, Sony and others.

Unfortunately, security experts say the attacks will only continue in 2015. But they're hoping there's a silver lining to this brutal year: the start of a long-overdue conversation about the potential attacks that threaten everyone online.

"If you asked a person on the street what the top three or four biggest cybersecurity issues were this year, they'd name the same things people in the [security] industry who eat, sleep and breathe this stuff would say," Hugh Thompson, chief security strategist for IT security firm Blue Coat. "I can tell you it's never been that way before."

Unfortunately, that awareness has come only after many of those average Joes were hit with stolen credit cards or leaked personal information.

What Is a DDoS Attack? 0:42

"Security has gone from the backburner to something more tangible and real for the average person," said Gary Davis, the chief consumer security evangelist at McAfee. "For people in my profession, my view is: We kind of got your attention last year. Now this year needs to be about guidelines to be as safe as possible."

Here are five types of attacks that cybersecurity experts say will be cracking computers in 2015.

Malicious messages that really look like the real thing

Cybercriminals frequently obtain personal information or deliver malicious software by tricking victims with messages that appear to be legitimate. Click the link or download the attachment, and you've unwittingly infected your computer. Those malicious emails were once crudely done: broken images, poor grammar or other tip-offs that the message wasn't really coming from the bank or from Mom.

But cybercriminals now have increasingly advanced "toolkits" at their disposal that help them build very realistic-looking messages and malware, said Marc Rogers, principal security researcher at web performance and security firm CloudFlare.

"They can point a tool at any site, say a bank, and it scrapes the real bank website's logo, language, everything," Rogers said. "We used to tell people to keep an eye out for things that look wrong, but these can trick even discerning customers. It's all becoming a lot more professional."

It's an advanced spin on an old attack, and Rogers worries consumers will wrongfully assume they'll be able to spot any malicious email. In fact, he tells people "not to click on links from any email, period." If that's too extreme for you, be sure to mouse over hyperlinks and make sure they're taking you to the website they claim to be. If it looks even remotely strange or wrong, don't click the link. Exercise extreme caution with any attachments, too.

Ransomware moves into the cloud and onto your phone

Ransomware is a nasty type of malicious software that infects a victim's computer, locks up documents and demands payment in exchange for regaining access. Federal officials delivered a serious blow to Cryptolocker, the most infamous example of ransomware, earlier this year when they arrested arrest several people allegedly involved in the scam.

While that crackdown was an important step, experts say ransomware is still spreading -- and it's moving to new targets. McAfee Labs, which is owned by Intel, has tracked an increasing number of ransomware attacks on mobile devices. Perhaps scarier: Experts typically recommend that consumers back up their data to avoid the sting of losing access to their files, but McAfee expects some new ransomware strains will try to target stored login information for cloud backup services and lock up those files too.

Consider backing up documents to an external hard drive. Like other types of malware, ransomware is often unwittingly downloaded when users open email attachments or click on links. But if you do fall victim to a ransomware attack, avoid the temptation to pay up. There's no guarantee the crooks will actually free the files, and funding criminal activity only fuels it.

Point-of-sale attacks

The Target breach discovered one year ago affected more than 40 million consumer accounts. Industry professionals are hoping American card issuers' October 2015 switch to chip-and-pin (also known as EMV) cards -- which add a microchip to the credit card for an additional layer of security -- will help stop these sorts of breaches.

But "stopping fraud, especially for credit cards, is like squeezing Jell-O: You stop it in one place and it squirts out in another," said Stephen Coggeshall, chief analytics and science officer at identity theft firm LifeLock.

McAfee expects the "point of sale" type of attack that felled Target -- malware that infected its payment terminals -- will continue through 2015 as many terminals need to be upgraded to accept the new chip-and-pin cards. But the firm also warns these attacks will "increase and evolve" to target mobile payment systems like Apple Pay.

It's tough to inoculate yourself from these attacks -- unless you swear off credit and debit cards altogether. Be sure to monitor statements closely and flag any charges that look odd.

Targeting the 'one percent'

While cybercriminals may target a specific company or a government entity, they don't generally spend time targeting an individual because the potential financial payoff isn't worth their time. But wealthy consumers are the exception, said Coggeshall of LifeLock.

"I would expect cybercriminals to take a more active eye toward the wealthy, the 1 percenters," Coggeshall said. "If criminals think they can get some serious money from a victim, they can afford to spend more time on an individualized attack."

Even if you're part of the "99 percent," Coggeshall warns consumers should avoid giving out information like birthdays, employers and other biographical details on Facebook and other sites. Criminals can be crafty about leveraging this information.

Espionageware and cyberwar

The Sony hack -- and the FBI's conclusion that North Korea is responsible -- renewed security professionals' discussions of an ongoing cyberwar between countries and other opposing entities. Experts say we can expect more skirmishes to play out online rather than on the battlefield.

"Experts have been calling it a 'cyber Cold War' for some time, and that's only ramping up quickly," said Chris Petersen, CTO and co-founder of security intelligence company LogRhythm. "Nation-states both weak and strong see cyberattacks as a weapon to counter the global influence of the U.S."

Petersen also expects an increase in governments' use of malicious software to spy on certain individuals' activity. Last month Amnesty International released an anti-spyware tool that scans devices for government surveillance software.

Overall, the experts think the number of cyberattacks will increase during 2015 and beyond. It's scary stuff, but they hope the public conversation and awareness will increase as well.

"It doesn't happen overnight, but making changes requires starting the conversation," Petersen said. "Unfortunately, I do think truly moving forward will take a few years."

In the meantime, Coggeshall, the LifeLock executive, reiterated a handful of best practices "that will really protect the average person from the majority of attacks levied against them": Keep antivirus software updated, use strong passwords, never put sensitive personal information online or emails, exercise extreme caution when clicking links or downloading attachments and don't sign into accounts when using public Wi-Fi networks.

"We still have to tell people this stuff, which I think shows that in the next years we'll still be in this general discussion phase," said Thompson of Blue Coat. "There will be more breaches. But there will also be more and more discussion over dinner tables, and that's where awareness begins."