Originally Posted On: bizjournals.com

Hack attacks are evolving all the time, but 2019 will be a breakout year for a number of new and emerging attacks.

While many businesses today still struggle with run-of-the-mill threats like phishing and un-patched software, they need to brace themselves for a wave of sophisticated hacks which will rely on new techniques to steal money and information and damage reputations.

Some of these threats, like “credential stuffing,” are already under way, as was witnessed in the recent attack on Dunkin’ Donuts’ DD Perks rewards program. Others, like “soundloggers,” are still in the early stages but will become more widespread in the coming months and years.

Here are six new cyber threats businesses need to watch out for.

1) Digital card skimmers

Alternately known as “formgrabbing,” or “formjacking,” this is a scripting attack that targets online transactions. The digital card skimmer steals the customer’s payment and personal information right out of the online shopping cart (or checkout form) before the order has even been submitted.

Small-business and retailer websites may be compromised directly or through a third-party service or plug-in, as was the case with Shopper Approved, a widely-used rating service.

These attacks are highly profitable and will increase significantly next year.

2) Brand extortion

Cyber extortion has been gaining ground for years, first with DDoS (distributed denial-of-service) attacks, then with ransomware, and more recently with elaborate sextortion scams. But the newest version of extortion-based attacks uses fake online accounts, from Yelp to Twitter, to threaten the reputation of a company or brand.

Imagine hundreds of negative online reviews, tweets and Facebook posts rolling out continually for days, weeks or months, and all of them aimed at your company. Hackers are able to mass-produce this type of “review bombing,” or negative campaign, with the use of bots and other automated tools. This is what recently happened to CheapAir, when a group called STD Company threatened to destroy its reputation unless they were paid off.

Businesses’ online reputations are vulnerable to these attacks, and more companies will find themselves targeted next year.

3) Credential stuffing

The past seven years have seen an unprecedented wave of large-scale corporate data breaches, from the 2013 Target hack to the recent Marriott disaster. These breaches have filled the dark web with an enormous cache of stolen usernames and passwords — and it is setting the stage for a new kind of password attack known as “credential stuffing.”

Instead of trying to “crack,” or guess, the password through brute-forcing, credential stuffing uses a database of real usernames and passwords (taken from prior data breaches) which are then tested en masse against many other websites and online services until they find a match.

Since most people reuse their logins and passwords across multiple accounts, including their work email, these attacks are extremely risky for businesses. Credential stuffing was recently used on Dunkin’ Donuts and HSBC, and it will become even more prevalent next year.

4) Sophisticated mobile attacks 

Smartphones are increasingly vital for hackers to gain access to as more people switch to mobile banking and mobile-based two-factor authentication and as mobile phones evolve into the remote controls of our daily connected lives.

SMS phishing attacks will grow more intense next year (like the new “cardless ATM” scam) since these are an easy way to steal credentials via phone. Hackers will combine other tricks, like combosquatting and typosquatting, to make it harder for users to spot malicious links sent via text. But other attacks, like fake apps, will continue to pick up as well, and of particular concern here is the “overlay attack,” which can be highly effective at stealing mobile banking credentials.

5) Sound-based attacks

The rise of virtual assistants and voice biometrics is creating new opportunities for hackers.

As the voice is increasingly used to authenticate financial accounts and other services, in addition to controlling devices like mobile phones and smart speakers, hackers will be more aggressive at trying to use sound-focused attacks to hit their targets.

These attacks will range from voiceprint identity theft to subliminal malware that commandeers virtual assistants and “soundloggers” which can figure out a password by the sounds a person makes when typing it on the keyboard.

6) Smart malware

It’s hard enough for the average small business to prevent an attack from off-the-shelf malware like Zeus and DarkComet, but just wait until malware starts to think for itself.

New technologies like machine learning and artificial intelligence are dramatically enhancing the range and destructive power of future malware attacks. Don’t expect to see Terminator-style killer viruses, but instead viruses that are able to mutate themselves to adapt to different environments, hunt down specific employees in a network and avoid detection by hiding in legitimate computer programs or tweaking their “signatures.”

Open source AI models already exist which hackers can use to do this. Attackers also have access to “malware-as-a-service” and malware “kit” offerings online which can aid in these attacks. To demonstrate just how real this risk is, IBM recently unveiled an AI-malware prototype called DeepLocker, which is based off of these publicly available tools.

Security advice

Since attackers will become more advanced in the coming year, it is critical for SMBs to focus just as much on post-breach damage control as they do on prevention.

To limit the damage of an eventual breach, SMBs need to practice employee “access control” religiously, segment the network, back up crucial data and have an emergency contact sheet ready so you know exactly who to call when the worst happens. For businesses with a lot of financial or customer data exposure, a cyber insurance policy is also a must.

Prevention should include robust anti-malware and firewalls, a strong password policy, two-factor authentication, “whitelisting” emails for key executives like the CFO and passing the buck for customer passwords and payment information to more secure third-party services.

Jason Glassberg is co-founder of Casaba Security (www.casaba.com), a cybersecurity and ethical hacking firm that advises businesses ranging from startups to Fortune 100s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.