Skip to main content

25 Alarming Cybersecurity Stats from 2020


These are some of the more concerning, cybersecurity related statistics of 2020.

Enjoy...

 

1. Approx. 300 billion passwords in the wild.

That is the number of passwords that have been exposed in 2020, from all the cyberattacks. There are many services out there that can tell you if accounts that you use have been associated with any attacks. Do not, ever, enter your password into any of these. They should be able to tell you if your account is associated with a breach by just entering your user which in most cases would be your email. 

Here is one such service: https://haveibeenpwned.com/

2. 65% of companies have more than 1,000 stale user accounts.

Ok, so this is more of an enterprise metric, but consider this...

How many old email accounts do you have? If you are not using those accounts anymore, did you bother to cancel them? We tend to use the same username and password on different accounts. If you do this and one of the services that you consume on the internet is attacked and your information is leaked, those credentials could be used to break into other online services and steal even more. If you have an old email address that you no longer use, cancel it. Same for any other digital service that you no longer use. Furthermore, demand from the service provider that they purge all information, including any account credentials on record. Most services do this automatically when you delete your account.

You should use a password manager to keep track of all your account credentials. Try this one...


Available only on Google Play



3. As of early July 2020, there were 15 billion credentials available on cybercriminal marketplaces.

When credentials are successfully harvested from cyberattacks, they are made available on the dark web. Some think that the dark web is this sophisticated and super-secret place no one knows about. It is not, dark web just means that the content is not index by search engines like good and therefore you cannot access it by googling “dark web”. All you need is a special browser (Tor) which redirects your connection around different servers on the internet for anonymity, much like a VPN would.

The dark web is mostly a place where people go to procure drugs, stolen credentials, and other illicit services. Consider this, there are about 7.5 billion people on the planet as of 2020,  and we have had about 15 billion credentials stolen over time. Chances are, one of your credentials are there. When was the last time you changed your password?

 

4. The number of data records exposed in the first quarter of 2020 climbed sharply to 8.4 billion, that’s a 273% increase compared to the first quarter of 2019.

2020 was a very fruitful year for cybercriminals. Many companies were forced to send their labor force to work remotely to stay in business, without much time for cybersecurity planning.

We went from the security of a properly architected network designed to protect personal and business-related information, to a network that was just put together for connectivity. This is the case with most home networks, where little thought is put into security. We just want fast Wi-Fi.

 

5. Since 2019 we have had about 16 billion records that included credit card numbers, home addresses, phone numbers, and other sensitive information exposed through data breaches.

 

6. The average ransom payment is $111,605, up 33% from the last quarter of 2019.

 

7. Approximately 60 million Americans are victims of identity theft every year – costing them around $15 billion annually.

 

8. There will be a ransomware attack every 11 seconds by 2021. By that time, the global cost will be $20 billion yearly.

 

9. By 2023, cybercriminals will steal 33 billion records.

Hackers do not always get what they ask for, companies will often have a backup strategy in place to wipe and re-image the infected machines. Unfortunately, because of today's technological advances, it has become a lot easier for cybercriminals to automate attack probing and execution. This is bad news for the average home user. Think of it like this, if you were a bank robber and you had to go to the trouble of actually robbing the bank yourself, including the risk of getting caught and the punishment that comes with that, then you would make sure that the reward was worth the risk. This would rule most home or even small business networks, as it would take a lot of planning and execution time to attack all of them individually, and of course, with each occurrence, the chance of being discovered grows. Therefore the robber goes after the big fish, one score that will set them up for life.

The same technological breakthroughs that we love are also being used by those with less than honorable intentions. Machine learning has allowed cybercriminals to automate a lot of the probing stages of attacks making it easier and possible to broaden the scope. Going back to the bank-robbing analogy, this time you are The Boss and you have a group of people that are tasked with bringing you money from robbed banks. You do not care where they go, since they would be the ones getting caught and not you. All that matters is that you get money. Because it is a lot easier to cover your tracks in the digital world, the risk of your robbers (which in this case would be automated computer code) ratting you out to the authorities is a lot less.

What does that mean for the average user? It means that you are now fair game for cybercrime, more so than ever before. That along with the increase in people doing corporate activities from home makes things worse.

Small businesses should be particularly worried about cybercrime, especially in these times, as they often lack the liquidity to recover from the loss of consumer confidence that can result from cyber breaches.

 

10. Mobile device infection vectors have expanded and bypassed security protections, placing malicious apps in official app stores. One threat actor used an international corporation’s Mobile Device Management system to distribute malware to more than 75% of its managed mobile devices.

  

11. Increased reliance on public cloud storage due to the pandemic has led to an increase in attacks targeting sensitive cloud workloads and data. 

These last two are somewhat related. Mobile devices are portable, small, designed to fit in your pocket and therefore often lack the amount of space for storage that is offered on a regular PC. Additionally, content consumed on mobile devices is highly dynamic, meaning that the content providers are changing the content to keep you engaged all the time. For these reasons, a lot of the applications that we consume on our mobile devices are leveraging cloud resources to store content, user information, user preferences, etc. This is helpful for the content providers to tailor our experience to something we are likely to be interested in.

As a result, a ton of data about us ends up in a database somewhere beyond our oversight and control.

You should be using AV on your computer. Make sure you configure Windows Defender with OneDrive backups, or get a 3rd party AV and make sure to keep the AV definitions updated.



         

Remote Work

 

12. Since the beginning of the year, more than 3k new domain names containing the word “Zoom” have been registered, and a lot of them with an email server to process phishing attacks.

  

13. Attackers are changing Domain Name System (DNS) settings in routers, pointing users to what they believe to be legitimate websites with a pop-up message containing covid information. However, once a user clicks, a fake coronavirus-related app with malware may be downloaded.

 

14. To trim expenses, 40% of global organizations have cut their cybersecurity budgets during covid, although 56% of them plan to continue widespread remote work post-pandemic. 

Cybercriminals are smart, and often very creative. That is the worse kind of adversary. They are aware of what is happening, and also that no everyone is technologically savvy in the way that we have been asked to be since the start of 2020.

Some of the distancing measures that have been taken this past year due to covid will end eventually. Others however will persist, because organizations realized this year that they could be profitable this way. Why pay for an office if you do not have to? This means that the remote virtual meetings will continue for many of us.

If someone can obtain data about you from social media (Twitter, FB, LinkedIn, Instagram, etc) they will be able to send you emails that in many cases are crafted well enough that some users will be tricked into thinking that they are legitimate.

What happens if your bank sends you an email with a link to a “7 Ways You Can Double Your Money During The Pandemic” webinar. I bet a lot of people will be enticed by that subject line. The link to the meeting however could be re-directed to a site that looks like a legitimate signup page for the said webinar, where “To provide a tailored experience, please enter your banking account information”. It is not that difficult to copy the look and feel of a legitimate website.

Companies have been forced to trim the fat in 2020 in areas that would normally not be subject to cuts or downside due to organizational importance. However, if everyone is working from home, then the perception is that you might not need a large IT department. After all, you cannot manage the employee’s home network.

  

Smart Home?

 

15. 47% of all vulnerable devices on home networks are cameras. But don’t blame just your camera. An average U.S. household has 17 IoT devices, and most of them have some kind of vulnerability.

I am sure that we are all aware of the Ring incident by how. If you are not then where have you been, and can I go there too? Just search for Ring Camera breach.

But, before that, there was a massive DDoS attack that shut down a ton of services on the east coast of the US flooding networks with service requests until they became overwhelmed. How did they do it? By taking over million of unprotected, unpatched, vulnerable IoT devices from average people's homes. (2016 Dyn cyberattack)

 

No mercy for the unemployed

 

16. Cybercriminals are taking advantage of the massive uptick in unemployment across the United States. In a recent spear-phishing campaign, hackers send out fake resumes from purported job-seekers that spread banking credential-stealing malware.

This is happening, even on legitimate platforms like LinkedIn, please beware the next time you get a message from a recruiter from a company you have never met, offering a great opportunity with a six-figure paycheck.

 

17. Many states are warning unemployment applicants that their personal information may have been leaked. The exposed information included names, full social security numbers, banking details, addresses, number of dependents, and more.

 

18. An aggressive business ID theft ring that formerly targeted small businesses nationwide is now using its resources to access pandemic assistance loans and unemployment benefits.

 

Your Subscriptions

 

19. Phishing attacks targeting Netflix users has increased by a whopping 646% by attackers looking to capitalize on Netflix’s growth.

 

20. Netflix users have also reported receiving suspicious texts, offering them “free passes” to the streaming service if they click a specific link.

News flash, there are no free passes.

With the increase in stay at home, comes an increase in binge-watching of your favorite movies and tv shows. Cybercriminals are alert to world consumption trends and will adjust their efforts accordingly.

A piece of advice, you should never click on a link from a provider talking about account problems, or service interruptions, etc. Instead, open the browser, log into the service, and then see if you have any notifications, any service or billing-related alerts that require your attention. You can also call.

 

Voting Confidence

 

21. Experts are sounding alarms about potential security risks related to the 2020 U.S. elections. Cybersecurity pros warn that hackers could infiltrate voter databases and election night reporting, for example.

I have my own opinions about the 2020 political theater, but I will keep them to myself. However, I will say that I have an increasing lack of confidence in some of the processes, as well as the technologies being used in said processes. I have a feeling that I am not the only one who feels this way.

 

More covid-themed cyberattacks will be related to the vaccine. 

Believe it or not, fraudsters have even found a way to use the coronavirus pandemic for blackmail. Reports of phishing scams threatening to infect a victim’s family with the virus are real and disturbing.

Just like cybercriminals attempted to take advantage of the covid situation, they will again adjust to try to dupe those who are seeking vaccination. Please, if you have senior family members, make sure that you try to protect them from potential scams coming by way of email and phone calls pretending to be legitimate sources of vaccination.

In the state of Florida, some counties elected to use Eventbrite (popular event management and ticketing website). Within hours, there were a ton of listing asking for money to make appointments for vaccination-related activities, some of which could be confused with actual vaccination appointments, as well as a ton of virtual seminars to “understand vaccination” and other related topics.

 

22. The U.S. Department of Homeland Security says we should expect to see intelligence service attempt to target and steal covid research and data, including nation state-sponsored hackers targeting U.S. organizations working to develop vaccines for the virus.

 

23. Microsoft is warning of an ongoing covid-themed phishing campaign that installs the NetSupport Manager remote administration tool. The massive campaign is spreading via malicious Excel attachments in emails pretending to be from the Johns Hopkins Center.

Here is another attempt to impersonate a legitimate provider to dupe users to let their guard down and install software on your machine that can later be used to take control and steal data.

  

24. Google says it blocks 18 million covid-related scam emails each day. 

Why is the email used predominantly? To put it simply, it is the quickest way to get a potential cybercrime link before the eyes of a potential victim.

Even with recent technological advances in the area of cybersecurity and machine learning, it is very difficult to label what looks like a legitimate email as malicious.

No mechanism can stop me from opening a legitimate email address mailbox, and send emails to whomever I want with content that I have carefully crafted to get a response. Attackers can include shortened URL links that navigate to legitimate websites initially, to bypass mailbox security measures. Many URL shortening services allow you to modify where the link redirects to. This can be used to send a link that redirects to a legitimate website initially, but later redirects to a malicious scam website.

 

Do not fall for the cute puppies.

 

25. About 85% of people who post pictures of puppies online are just trying to scam you out of money, charging victims for a pet that doesn’t even exist. 

Has anyone noticed how the cost of puppies has skyrocketed this past year? For many, who live by themselves a new pet was a way to cope with solitude. This has driven sales of new pets to new heights, created added attention, and of course, as stated earlier, cybercriminals are smart and creative.

There you have it, great is it not?

It is unfortunate that Internet Service Providers do not take an active role in protecting the users, some claim to, and do offer some endpoint protection safeguards, but it is not nearly enough.

Take a little time to look into your network, and connected devices, understand what is going on. Do not let your guard down.

J.


Sources: CompTIA, BBB, Google, MSFT, DHS, The Washington Post, Business Insider, Webroot, KrebsOnSecurity, Forbes, RiskIQ, Barracuda, ZDNet, BitDefender, BrandShield, Check Point, Norton Security, Cyber Security Ventures, Coveware, SelfKey, Iomart, Varonis, SC Magazine.


Labels:

Comments

Post a Comment

Popular posts from this blog

My Review of BlackBerry | Cylance

  Most of us associate the Blackberry brand name with its relative dominance in the early 2000s when almost everyone who had a smartphone had a Blackberry. Nothing lasts forever. Unfortunately for the brand, 2007 marked the introduction of touch screen phones with the new iPhone unveil. Android phones also arrived on the scene soon after. What most of us do not know is that Blackberry also provided to their users a secure and at the time revolutionary way for users of Blackberry devices to communicate with each other. In essence, security has always been a part of the Blackberry brand. It takes a lot of courage, work, and time to reinvent yourself as a company. Many do not succeed. For Blackberry, the road to reinventing itself as a cybersecurity brand has not been without its few bumps. Today, Blackberry is recognized as one of the top cybersecurity companies offering protection for enterprises and consumers alike. This review will look at Blackberry | Cylance’s ratings against
4 comments
Read more

My Review of McAfee Total Protect

  My Review of McAfee Total Protect McAfee is one of the oldest names in the Antivirus space. In the early 2000s, McAfee and Symantec were viewed as the biggest names in Cybersecurity. The evolution of the company has not been without its bumps in the road, however, McAfee continues to make headway in a very competitive segment where it seems as if every year new contenders are coming forth. There is something to be said for continuity and experience. Today, McAfee protects over 600 million devices worldwide. In this review, we are going to take a look at McAfee’s Total Protection Suite. We will examine how McAfee stacks up against the competition, and also examine the validity of some of the claims made on its website. Let’s begin… How does McAfee measure up? Gartner is a global research and advisory firm providing information, advice, and tools for leaders in IT, finance, HR, customer service and support, communications, legal and compliance, marketing, sales, and supply chain
Post a Comment
Read more

Who's Responsibility is it?

Work From Home is going to become the new norm for many organizations across the world thanks to mother nature. Covid has forced many industries to evolve at an accelerated rate. Financial Technologies, for example, has experienced a growth of adoption rate that under normal circumstances would probably be observed across 5 to 10 years.  If there is one great thing about us humans, we can adapt to new conditions. Overall, we are great at rolling with the punches.  Working from home, as is the case with any new dynamic, will introduce new challenges and questions that need to be answered with regards to data protection.  These are some of those questions... 1. Now that I am working from home, is my employer at least partially responsible for the security of my network and personal data? This might seem like a reach but think about it... Organizations are constantly targeted by cybercriminals because looking to steal sensitive data about users, employees, patients, etc. Instead, cybercri
Post a Comment
Read more