| | MARCH 202192021 & The Threatstime. But the web is increasingly becoming dense due to the overlay of numerous connected devices, apps and web services used in our personal and professional lives. This results in growing connected home's attack surface to the point that it raises significant new risks for individuals and their employers.With the connected homes and office devices connecting to each other more than ever before, it compounds the changes of hacking the home to hacking the office.The number of malicious phishing links McAfee blocked grew over 21 percent from March to November, at an average of over 400 links per home. This increase is significant and suggests a flood of phishing messages with malicious links entered home networks through devices with weaker security measures.Millions of individual employees have become responsible for their employer's IT security in a home office filled with `soft' targets, unprotected devices from the kitchen, to the family room, to the bedroom. Many of these home devices are `orphaned' in that their manufacturers fail to properly support them with security updates addressing new threats or vulnerabilities. By compromising the home environment, these malicious actors will launch a variety of attacks on corporate as well as consumer devices in 2021.·Weaponized AI Attacks on Cloud Platforms and UsersAttacks on cloud platforms and cloud users will weaponize AI and evolve into a highly polarized state where they are either mechanized and widespread or sophisticated and precisely handcrafted.The COVID-19 pandemic has also hastened the pace of the corporate IT transition to the cloud, accelerating the potential for new corporate cloud-related attack schemes. The increasing proportion of unmanaged devices accessing the enterprise cloud has effectively made home networks an extension of the enterprise infrastructure. We expect that widespread attacks will start weaponizing AI for better efficacy against thousands of heterogenous home networks.As many as 65 percent of users reuse the same password for multiple or all accounts according to a 2019 security survey conducted by Google. AI will be leveraged to exploit this practice at scale. Where an attacker would traditionally need to manually encode first and last name combinations to find valid usernames, a learning algorithm could be used to predict O365 username patterns.Additionally, instead of launching a classic brute force attack from compromised IPs until the IPs are blocked, resource optimization algorithms will be used to make sure the compromised IPs launch attacks against multiple services and sectors, to maximize the lifespan of compromised IPs used for the attacks. Distributed algorithms and reinforcement learning will be leveraged to identify attack plans primarily focused on avoiding account lockouts.While the volume of sensitive data in motion increases and enterprise cloud postures mature, we also predict that the attackers will be forced to handcraft highly targeted exploits for specific enterprises, users and applications. We believe attackers will start leveraging threat surfaces across devices, networks and the cloud in these ways in the months and years ahead.·New Mobile Payment ScamsAs users become more and more reliant on mobile payments, cybercriminals will increasingly seek to exploit and defraud users with scam phishing or smsishing messages containing malicious payment URLs.Mobile payments have become more and more popular as a convenient mechanism to conduct transactions. Additionally, the COVID-19 pandemic has driven the adoption of mobile payment methods higher as consumers have sought to avoid contact-based payments such as cash or physical credit cards.McAfee predicts there will be an increase in receive-based mobile payment exploits, since they provide a quick mechanism for fraudsters that combines phishing or smsishing messages with payment URLs.This could take shape in schemes where fraudsters set up a fake call center using a product return and servicing scam, where the actors send a link via email or SMS, offering a refund via a mobile payment app, but the user is unaware that they are agreeing to pay versus receiving a refund. In the same way that mobile apps have simplified the ability to conduct transactions, McAfee predicts the technology is making it easier to take advantage of the convenience for fraudulent purposes.
< Page 8 | Page 10 >