Predicting 2018's Bah Humbug

Christmas infosec predictions, the hopelessly generic forecasts, the bland Christmas-themed attacks and outdated predictions recycled from three Christmases ago.

Predicting 2018's Bah Humbug

Christmas cyber security predictions typically fit into three kinds of boring and predictable. First, you have the hopelessly generic forecasts — the buzzwords everyone hears bandied around, all of the time. The threats that might not have anything to do with Christmas, but why not include them anyway — just because. Second, you have the bland Christmas-themed attacks we see every year.

There is of course value in mentioning the usual suspects, yet it doesn't bring much added value or insight to anyone apart from infosec novices. Third, there are the outdated predictions — threats recycled from two or three Christmases ago, and that we haven’t really seen since. Yet, maybe, just maybe (and perhaps because it’s Christmas), it could happen again.  

Jest aside, while looking at previous holiday periods certainly makes sense, the cyber threat landscape moves fast. This means the Christmas shenanigans that took place in 2016 only provide limited insight into what we might see coming up.

I want to take a different approach. Rather than looking back at previous Christmases, it is also useful to explore some of the key trends over the last six months, and extrapolate from there.

Magecart on the rise

Magecart operations have grown steadily over the last six months. This has involved highly targeted bank card skimming attacks, with malicious JavaScript code injected into the payment pages embedded on e-commerce sites — a technique known as formjacking. As customers arrive at check out pages and enter their details, MageCart is there waiting for easy pickings.  

Various high-profile organizations have already been affected, including British Airways, Ticketmaster and Newegg (amongst others). Formjacking, is not necessarily anything new. However, it is rising in prominence and proving a highly effective tactic for cyber criminals looking to pinch the card details of customers from high-profile organisations (and all without necessarily having to gain access to a target’s internal network).

We would therefore expect formjacking to continue rising in the next three months, regardless of the holiday period. Yet, being the greedy and salivating predator it is, Magecart operators will surely be unable to resist crashing the festive party. So many of us now favour shopping online — whether due to convenience, an aversion to crowds in cold weather, or perhaps to avoid awkward encounters with overly-friendly shop assistants that ask ‘Hi! How are you today?’ in a friendly yet ultimately insincere and synthetic tone.

The popularity of e-commerce during the holiday period means Christmas will likely act, not as instigator of formjacking, but an accelerator of this pre-existing trend — enabling criminals to hit their Q4 targets and nab that sweet sweet end of year bonus.

What’s more, it has recently been reported that at least seven different groups make up the Magecart threat. That means it is not just one, but seven groups desperately raiding e-commerce sites and trying to crush Q4 before those dreaded end-of-year performance reviews.

Ransomware, so hot right now

DDOS extortion attacks have previously been touted as a Christmas prediction. The thinking is that criminals could exploit the extra pressure that many industries experience during the holiday period, with victims more likely to pay to keep their services and online presence up and running.

Yet, this prediction has previously failed to seriously materialise over Christmas. We have also not seen many reports of DDOS extortion during 2018 — another reason to be sceptical that they will spoil the Christmas party. While the lack of known activity is almost certainly explained by a reporting bias (with organizations reluctant to disclose when these attacks take place), it is also possibly affected by criminals transitioning towards ransomware.  

Ransomware offers several advantages over DDOS attacks. It is more scalable (without having to sustain a botnet) and the implications are likely more permanent (subject to decryptors not becoming available). All of this makes victims more likely to pay up. Hospitals have long been targeted due to the high stakes game which is the operating theatre.

Likewise, smaller organizations are increasingly featuring in the crosshairs (most likely due to a perception that they are more exposed when compared to larger organizations). This is particularly visible in North America, where a variety of local and statewide government institutions have been targeted.

It is certainly possible that ransomware attacks will capitalise on Christmas. Crippling the systems of organizations in sectors under particular pressure during the holiday period (think retail, delivery and transport) increases the chances that ransoms will be paid. However, while these sectors have previously been targeted by ransomware attacks, the link is not as clear cut as it might be for say formjacking and e-commerce.

Many ransomware campaigns have an established modus operandi that might not be focused on sectors that experience added Christmas pressure — the question therefore becomes whether threat actors will modify their approach to cash in on that holiday spirit. If Magecart is the greedy employee hastily chasing a fat Christmas paycheck, then ransomware is the dependable everyman who might step it up and change their approach, but could conceivably just carry on with what has worked so well for the last 11 months.

All I want for Christmas is an intelligence-led approach to predictions

There is a real possibility that ransomware will be part of 2018’s Christmas story; it’s a threat that should be taken seriously. Equally, the intelligence is simply not there to make a truly confident assessment. Herein lies a fundamental flaw with Christmas cyber security predictions — many of which simply vomit up potentially relevant information, without seriously assessing likelihoods, attaching confidence levels to the assessments being made, or providing the reasoning behind conclusions.

Christmas predictions too often become bland marketing material, regurgitated each year in a new dreary iteration.  Beneath this veneer, however, is an opportunity to think more deeply: to examine threats from previous Christmases alongside assessments that consider whether these attacks are still viable and realistic; to explore developments in the threat landscape over the last year accompanied by careful consideration on how this applies to the holidays (or not).

Christmas predictions overpromise on the threats while underdeliver in providing actionable takeaways. If Christmas is the crunch time for security teams, let's give them the threat intelligence they deserve.

The awesome image used to head this article is called Magic Crystal Ball and was created by Khrystyna.