Sharp increase in malware targeting IoT devices

News by Rene Millman

IoT devices are being targeted ever more ruthlessly by cyber-criminals who are also stepping up attacks on the financial sector, according to McAfee's threat report.


57 percent of organisations are concerned about the security of IoT (pic: Westend61/GettyImages)

New malware targeting IoT devices has increased by three-quarters over the last quarter while financial sector data breaches have grown by a fifth, according to a new report.

The McAfee Labs Threats Report: December 2018 said that new IoT device malware grew 73 percent in Q3 with the total amount of IoT malware up by 203 percent in the last four quarters.

McAfee Labs saw an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices. The company sourced its data from its Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

The report said that IoT devices such as cameras and video recorders have not typically been used for cryptomining because they lack the CPU power of desktop and laptop computers.

However, cyber-criminals have taken notice of the growing volume and lax security of many IoT devices and have begun to focus on them, harnessing thousands of devices to create a mining supercomputer.

New coin mining malware grew nearly 55 per cent, with total malware growing 4,467 per cent in the last four quarters.

The report also found that disclosed incidents targeting financial institutions rose 20 percent, as McAfee researchers observed an increase in spam campaigns leveraging uncommon file types, an effort to increase chances of evading basic email protections. McAfee researchers also observed banking malware include two-factor operations in web injects to evade two-factor authentication. These tactics follow a broad effort on the part of financial institutions to increase security in recent years, the report said.

Disclosed incidents targeting healthcare remained stagnant, with the public sector enjoying a two percent decline and the education sector a 14 percent fall.

The third quarter of 2018 saw the Dream, Wall Street and Olympus online dark web markets jostling for market share, until the disappearance of Olympus.

In an effort to evade law enforcement and build trust directly with customers, some entrepreneurial cyber-criminals have shifted away from using larger markets to sell their goods and have begun creating their own specialised shops, the report said. This shift has sparked a new line of business for website designers offering to build hidden marketplaces for aspiring shady business owners.

"Cyber-criminals are very opportunistic in nature," said John Fokker, head of cyber-criminal investigations at McAfee. "The cyber threats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cyber-criminals: higher infection rates, and both operational and financial security."

According to another survey by Databarracks, 57 percent of organisations are concerned about the security of IoT.  Peter Groucutt, managing director of Databarracks, said that the publication by the UK government of the Secure by Design report in March this year was not enough to sufficiently address the issue of IoT security.

"Our lack of regulation means we see instances as serious as insecure children’s smartwatches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it won’t prevent less committed companies favouring profit over security and pushing insecure products to market. The same company that produced these smartwatches was also found to be making insecure video baby monitors earlier this year," he said.

Gary Cox, technology director for western Europe at Infoblox, told SC Media that when choosing IoT, organisations need to ensure they are looking for devices which have been created with security at the heart – secure by design.

"While the BSI has a kitemark for consumer IoT devices, not every device is certified and it’s still early days. Businesses and financial institutions should be demanding the same level of commitment from vendors and push for this level of certification to become the norm," he said.

Style tag for CMS

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews