Today we released our annual threat roundup where we look back at the year as a whole to understand the broad trends we’ve seen.
2013 has been a big year. But unlike other years there’s no single big event that marks it. Unlike past years where a single event or trend stood out, in 2013 we saw significant developments in four key areas:
|
|
Taken altogether, these represent significant escalations and worsening of the threat environment. And they portend a 2014 that will be even bigger and more dangerous.
Online Banking Malware
2013 ends with online banking malware volume at double what it was at the end of 2012. In 2012 we saw 500,000 detections worldwide; at the end of 2013 we saw more than one million detections worldwide. The United States and Brazil alone accounted for fully 50 percent of worldwide detections (US: 28%, Brazil 22%). This growth is consistent with what we reported at the end of Q3 2013. Even while consistent, that number is still shocking. When coupled with the ongoing disclosures around retail data breaches in the United States these numbers may help advance the adoption of greater security measures for credit cards and debit cards in the United States, bringing them more in-line with standards in place in the rest of the world.
Ransomware
Ransomware isn’t new: it’s been around for years. But each year, criminals find ways to bring new innovations to bear to make ransomware even more effective. In 2013 the makers of Crytolocker added two new features that increased its effectiveness dramatically. First, they use sophisticated encryption techniques to make a victim’s data effectively unrecoverable without the key the attacker’s control. And they make the recovery key self-destruct after a set period of time. Together, these two things put users in a dire predicament: make a snap decision to pay the money or lose their data forever. With this latest degree of effectiveness, we have to shudder what innovations 2014 will bring to ransonware.
Malicious and High Risk Apps on Android
In his 2013 predictions, our CTO Raimund Genes predicted Android would pass one million malicious and high risk apps in 2013. That prediction was realized by September 2013. In fact, there were one million new pieces of malicious and high risk Android apps introduce in 2013 alone. That brought the total number of malicious and high risk apps at the end of 2013 to 1.4 million. Looking forward to 2014, the only thing one should expect is for this to continue to increase, likely even faster. And, with Google talking with car makers about bringing Android to in-car systems like they announced at CES, it raises the stakes on the question of security for in-car systems in the Internet of Everything (IoE) era. What does it mean to introduce a platform with more than 1 million pieces of malware and high risk apps to cars? We’re going to find out soon.
Attacks against unpatched vulnerabilities in software out of support
Oracle ended support for Java 6 in spring 2013 even though nearly half of all computers were still running it at the time. After the end of support, 31 vulnerabilities have been found in Java 6 and attackers have been aggressively targeted these Java 6 vulnerabilities. And the overall threat environment around Java worsened in 2013. We can expect attacks against Java 6 to continue in 2014. But most notably for 2014 is the coming end of support for Windows XP. What we see with Java is a foreshadowing of what may be in store when Microsoft ends support for Windows XP in April 2014. Currently nearly 30 percent of all computers still run Windows XP and a significant number of those are expected to be up and running on the Internet after that deadline. We can’t know for sure what’s going to happen, but attacks against Java 6 give us a view that’s not pretty.
All in all the trends of 2013 tell us that 2014 will be another big year, and that’s not factoring in all the new threats that the Internet of Everything (IoE) will be introducing. 2014 will be a year where watchfulness, best practices and multiple layers of security will pay dividends to those who practice them.