Threat actors will continue to create new hacking techniques in 2023. I think it’s fair to say that we can all agree on that.
But businesses significantly improve their chances of protecting sensitive data by raising staff awareness of cyber threats. If your workforce knows where cyberattacks are coming from, they are easier to spot.
It should be noted that cybercrime gets blown out of proportion in mainstream media. That’s not to say the threat is not real, it is. But cybersecurity firms have the edge over the average hacker.
And crack hackers are only after the big fish.
For example, in 2022, it was reported that 4,1000 data breaches were publicly disclosed.
It was also reported that some 255 million cyberattacks were reported globally – entering the final quarter.
That’s a success rate of just 0.00160%. And when the real figures come out, we’ll find it’s even less than that.
I don’t wish to downplay the threat of cybercrime by revealing these figures. But it’s not my intention to pull the wool over your eyes by sensationalising hacking either.
As far as Micro Pro are concerned, our best interests are in providing our clients with relevant, effective and honest advice. And in our view, knowing how to spot cyberattacks is the best defence to stop cyberattacks.
Look Out For SaaS Phishing
Various phishing strategies are expected to be the most popular hacking techniques in 2023. If previous years are anything to go by, phishing accounts for around 90% of all cyberattacks.
Whilst most phishing attacks arrive in email inboxes, hackers have found new ways to initiate SaaS-based phishing. One method of stealing login credentials is for hackers to hijack legitimate software and create a credential-stealing page that for all intents and purposes looks exactly like a legitimate login page.
The only way to identify a legitimate login screen from a fake page is the URL.
Hackers use a multi-level approach to infiltrate SaaS platforms. The first step is to send the victim a fake invoice or another document that appears genuine. Because pdfs open directly to a web browser, they navigate around preset cybersecurity defences that ordinarily restrict the opening of pdfs.
Hackers use a range of malware, some of which are difficult to detect. One example is Snake Keylogger, a dangerous piece of code which records the user’s keystrokes to collect login data.
Microsoft noted that the second phase of this new hacking technique was only successful against users that were not utilising multi-factor authentication (MFA).
Attackers that successfully compromise a device establish a fake SaaS account using the victim’s name. They then use the fake account from a rogue device to target other members of the organisation where they can inflict the most damage.
At this point, the strategy is likely to convert to spear phishing or whale phishing attacks.
You can read more about how hackers instigate whaling and spear phishing attacks in our previous article, “Are Hackers Targeting Your C-Suite With Whaling Attacks?”
We predict that SaaS attacks will become the most successful hacking techniques in 2023 if your staff is not aware of the threat. With the mass adoption of cloud computing, remote working and BYOD, bad actors have more opportunities to exploit business networks.
However, I will stress that hackers cannot access networks and computers if your staff know not to click on any pdfs or documents without checking their authenticity.
We recommend writing ‘document authentication’ protocols into your proactive cybercrime awareness practices.
One of the techniques we have known about for quite some time now is hackers dropping malware-infected documents into Microsoft Team chats together with an uptick in cyberattacks targeting Microsoft 365 applications.
Beware of ChatGPT (and other AI chatbots)
ChatGPT seems to be a darling of the media at the moment, with many singing the OpenAIs capacity to generate well-written code that aids developers.
Search Engine Journal even went as far as to say that ChatGPT “may be the most important tool since modern search engines.”
That may well be true if you’re a hacker.
ChatGPT was only launched in November 2022 but security firms identified vulnerabilities in the software almost immediately. Researchers warned that hackers could use the AI chatbot and Codex to execute effective cyber-attacks.
Here’s an interesting take on the use of AI chatbots from Venture Beat:
“AI into revealing information it should not? Chatbots created so far do not appear to exert such advanced capabilities. But when they do, will attackers be able to trick them using social engineering techniques using masked identities? Probably. Will hackers be able to persuade chatbots to do something they are not supposed to do? All signs indicate yes. Therefore, there’s a greater risk that future chatbots will include human-like flaws, such as trust without sufficient verification.” ~ Kriti Sharma, Sage Group via Venture Beat
Check Point Research also conducted an experiment that showed how hackers could generate malicious code simply by asking ChatGPT ”good textual prompts”.
So when you read news in mainstream media that wants you to believe ChatGPT can be used to find answers to almost anything, they forget to mention that it can also be used to infiltrate your business network.
The fact of the matter is that ChatGPT is an enabler for attackers. Hackers can use AI chatbots to generate millions of phishing attacks targeting c-suite executives and key members of a company that have access to financial records and sellable data.
The headlines in mainstream media should read: ChatGPT takes phishing to a whole new level.
QRishing
With QR codes and cashless payments being ushered in, cybercriminals have an open invitation to steal sensitive data. All attackers have to do is take a flyer released by a government agency, financial institution or company and switch the QR code for a QR code that is infected with malware.
It’s impossible to detect that a QR code has been changed when the original advertising is still in place. But it would be pretty easy for hackers to position their own ad in say, a bar or cafe that utilises QR codes.
Insurance companies are already onto this QR scam. They are already using the chance of QR hijacking as leverage for businesses to take our cybersecurity insurance that covers them for QR phishing scams.
Surely, an easier way is to inform businesses not to bother using QR codes.
Smishing
Smishing is one of the new hacking techniques in 2023 we expect to see more of. The concept is the same as phishing. The only difference is the fake message is sent to a person’s mobile phone rather than their email address.
Hackers have turned to smishing because a phone number is easier to generate than an email. Mobile numbers are finite and practically every number hackers can generate using sophisticated software will be somebody’s actual number.
Targets will not only receive text messages via a smishing attack. Hackers can also use messaging apps and video conferencing platforms. Facebook Messenger, WhatsApp, Slack and Skype et al have all been co-opted by threat actors.
Again, smishing has been billed to be a dangerous threat. And whilst it could be, the attacks are highly random. Common Smishing attempts tend to focus on everyday activities such as late deliveries, invoices, bank notifications and urgent notices.
However, in most cases, hackers don’t know whether the recipient of a smishing attempt has any connection with the company or person they are purporting to be.
Reporting smishing attacks companywide will enable you to nip the threat in the bud before it becomes a threat. Encourage your staff to report any type of cyberattack and notify the rest of your staff to look out for similar threats.
Developer Account Hacking Techniques in 2023
As more businesses shift towards a Modern Workplace, there will be a greater need to work with a developer or team of developers. And according to cybersecurity experts, that could pose a problem.
The two largest cybersecurity conferences of 2022 both raised concerns about the growing number of cyberattacks targeting developers. If hackers control your source code and development environment, they essentially control you.
The information hackers can steal from developers in most cases include:
- SSH keys,
- API keys,
- Source Code,
- Production infrastructure,
- Access to CI/CD pipelines
If you don’t follow cybersecurity best practices, your development team could be the back door hackers walkthrough.
This hacking technique is likely to work in 2023 because companies trust developers with too much access to their environment. If truth be told, developer privileges tend to violate well-established access controls.
If hackers infiltrate a developer’s account, they can insert malicious code practically anywhere, leak sensitive data, steal intellectual property and other sensitive data, , change source codes, adjust security controls and other configurations, install backdoors and tamper with IT infrastructure.
The simple solution is to work with multiple developers and restrict developer access to your entire environment.
Drone Hacking
Drones are being touted as the next cutting-edge technology for hackers to target. This strategy was first detected in 2019 but it is tipped to increase as a hacking technique in 2023 as more businesses adopt drones.
Given that drones are basically flying computers, we can see the appeal for hackers to target drone-using companies. And whilst drones are limited to Wi-Fi-based frameworks they are typically synced with other devices that enable them to transfer data easily.
Fair enough, if hackers were to gain access to Wireless Access Points (WAPs) and associated passwords, they can pickpockets their way onto your mainframe.
But defending Wi-Fi gateways are easy to remedy simply by customising access permissions, disabling open connectivity and ensuring networks are protected with up-to-date encryption standards.
IoT Hacking Techniques in 2023
Threat actors typically target exposed devices that do not have a strong security profile. It shouldn’t really come as any surprise to learn that attacks on IoT devices saw a 98% increase in 2022.
The rise in remote working complicates IT security even more. Whilst home Wi-Fi networks can be monitored by IT support professionals with remote viewing software, an IoT infrastructure largely falls in the shadows and doesn’t receive any security updates.
This poses a problem if IoT devices are not customised with personal passwords. Encourage your staff not to leave a default password on any of their home devices. Once a hacker hijacks one device on a network, they can get data from other devices.
IT Support Services in London
There’s no doubt that businesses of all sizes should find effective methods of building cyber-resilience. I’ve said this before and will say it again, you need to implement cybersecurity measures – but cybersecurity doesn’t have to blow your IT budget.
Providing your staff know where cybersecurity threats come from, significantly increases your chances of preventing a data breach. It is thought that around 90% of successful data breaches are caused by human error; i.e clicking on phishing emails, downloading infected documents and misconfigured cloud applications.
Micro Pro have well over a decade of creating cybersecurity strategies and implementing effective barriers in relation to your budget. From our observations, cybercrime is easier to defend than mainstream media wants you to believe.
Having said that, if you’ve got any doubts about whether your cybersecurity measures will be deemed “adequate” by the Information Commissioners Office, get in touch with our IT security and cybersecurity experts in London to put your mind at ease.
The IT support professionals at Micro Pro work with you to create effective IT Security strategies that protect against all possible threats. Our breadth of expertise enables us to plan and implement solutions that cover every aspect of IT security from laptop encryption, to managed active antivirus, to multi-factor authentication, and more.