New reports from the Internet security teams at Symantec (SYMC, Tech30) and Verizon (VZ, Tech30)provide an alarming picture of how difficult it's becoming for computer users to stay safe online. Last year was a big one for high-profile cybercrime, from the Heartbleed bug to major corporate attacks, and Sony's embarrassing hack.
Symantec's analysis of security threats in 2014 revealed thieves are working faster than companies can defend themselves, and launching more malicious attacks than in previous years.
More than 317 million new pieces of malware -- computer viruses or other malicious software -- were created last year. That means nearly one million new threats were released each day. But hackers actually relied on incredibly old computer bugs that companies just haven't gotten around to fixing yet, according to Verizon's 2015 Data Breach Investigations Report. In nearly 90% of cases, hackers relied on computer bugs that have been around since 2002. The third most popular option for hackers is a glitch in the way an IT manager remotely manages corporate PCs -- one that's existed since 1999. Companies could and should be patching this stuff, but they don't.
"While it seems like a no brainer for fix some of these things, organizations care more about making widgets," said Verizon security data scientist Bob Rudis. "They just don't have the manpower or time."
Directed attacks and data breaches also grew, according to Symantec. Five out of six large companies were targeted by cybercriminals, a 40% rise on the previous year. The mining industry was the world's most targeted sector.
Samir Kapuria, a Symantec executive, recalled one case in which hackers snuck into an energy company's computer network and stole a draft report. The report detailed the secret discovery of a potentially lucrative energy drilling spot. Hackers were trying to sell the information on a black market website to stock traders, Kapuria said. But they were foiled when the energy Company (operating under a pseudonym) told prospective black market buyers that the information was false. Kapuria declined to mention the name of the company.
Cyberattacks also spread wickedly fast. When hackers release a wave of malware-laced spam emails, it only takes 82 seconds for someone to get duped and become the first victim, Verizon found. And when hackers successfully break into a particular type of company -- like a bank or movie studio -- they'll use the same method to attack another firm in that industry within 24 hours. But it's some of the newer scams that might make tech users particularly nervous. Here are a few examples:
- Digital exortion: Cyberthieves are increasingly blackmailing victims and ransomware attacks surged 113% last year. Hackers steal files or photos from a victim's computer and demand a ransom -- typically between $300 and $500 -- in exchange for a key to decrypt their files.
- Sophisticated attacks: Hackers are breaching networks with more targeted, selective attacks. Here's a common ploy: Hackers hide malware inside software updates and wait for user to install the update -- meaning companies are essentially infecting themselves.
- Social media: Scams on social platforms are also on the rise. Victims do the work of the cybercriminals by sharing videos or stories with their friends that include links to sketchy sites. Symantec said these lucrative swindles spread rapidly because people are more likely to click on something posted by a friend.
- "Likejacking" is another one: Using fake "like" buttons, hackers trick people into clicking on website buttons that install malware and may post updates on a user's news feed, spreading the attack.