The evolution of online attacks seems to mirror the progression advertising has taken. In the beginning, hacking was done for fun and hackers were driven by a spirit of adventure. However, some hackers soon realized the potential for personal financial gain from their hacking. Thus, the birth of trojan horses, keyloggers and malware distributed via spam messages. Much like television commercials of old, these attacks were broadly distributed; the strategy being to hit as many people as possible in the hopes a small percentage would download the malware. In general, this shotgun-type strategy was successful as unsuspecting victims would click on malicious links and have their account information, passwords or identity sent to a hacker's developing database. Black-hat hackers could focus on quickly creating simple, and oftentimes, low quality malware and, due to the sheer distribution volume, this method was profitable.
Just as we are seeing an increase in personalized targeted advertising, we are now seeing the rise of targeted attacks. In the past, this method of hacking was considered unprofitable as it took too long to create a targeted attack, thus reducing the profit margin. With the lowering cost of producing high quality malware, large customer database breaches, coupled with the surge in hacktivism, means we will begin seeing more targeted attacks in the future.
While the goals of criminal gangs and hacktivists may differ (profit vs. issues awareness), they are using similar tactics – malicious code designed for a specific targeted attack. The reason for the coming rise in targeted attacks is two-fold:
Why is it now profitable to target specific account when it once was not considered a lucrative strategy? One reason may be the success security professionals have had with educating employees and technology users regarding online threats. It isn't that the creation of high-quality malware has become easier, it is that getting users to fall for their scams has become more difficult, making broad-based attacks less profitable. As a result, hackers are finding it more profitable to target a specific company or organization with an attack designed to steal data. These attacks are harder to defend against as they often involve rather sophisticated social engineering approaches and often are harder for common email spam scanners or content filters to detect. They depend on SQL injections and the infection of web applications or common social media sites, such as Facebook, rather than spam or malicious websites.
On the other side of the spectrum are hacktivists who are targeting a specific organization, not for profit but for social awareness. These socially minded hackers know that a high-profile security breach can damage the reputation of what they deem a socially irresponsible organization or bring down the network of a company the hacktivist believes is responsible for some injustice. It is the technological equivalent of protesting outside of the organization's office – and even more effective as it can quickly generate a global media buzz online when successful.
The number of targeted attacks will only increase in 2012 as users become more aware of broad-based threats, hacktivists become more active, and black-hat hackers create more sophisticated malware. For the general consumer and business, watching for these new approaches and taking control of your security policy enforcement should be a focus for your New Year's resolutions.