As Canadians put more of their information online, they become increasingly attractive targets for cyber threat actors. With cybercriminals continuing to adapt and improve their cyber capabilities to steal, commit fraud, or extort money from Canadians, we assess that cybercrime is the cyber threat Canadians and Canadian organizations are most likely to encounter.Endnote2
Stealing Personal and Financial Information
Stealing personal and financial information is lucrative for cybercriminals and is very likely to increase. Cybercriminals profit at the expense of Canadians by obtaining account login credentials, credit card details, and other personal information. They exploit this information to directly steal money, to resell information on cybercrime marketplaces, to commit fraud, or for extortion. Increasingly, we see cybercriminals becoming more organized, developing business-like processes to expand their operations to take advantage of vulnerabilities in software, hardware, and human behaviour online. For example, in recent years, cybercriminals have designed banking trojans specifically for mobile phones to steal user data and target financial resources. Cybercrime is now so prevalent and sophisticated that it sustains illegal online marketplaces. These cybercrime marketplaces offer illicit goods, stolen information, and malware. Some cybercrime marketplaces even offer customer support and rating functions. More accessible and easy-to-use cyber tools help cybercrime proliferate and operate around the world, often in areas beyond the reach of Canadian law enforcement agencies.
Increasing Cyber Threat Exposure
Canadians’ exposure to cyber threats increases with the growing number of Internet-connected devices, such as televisions, home appliances, thermostats, and cars. Manufacturers have rushed to connect more types of devices to the Internet, often prioritizing ease of use over security. We regularly observe cyber threat actors exploiting security flaws in devices resulting in either disruption to device functionality or using devices as platforms to launch other malicious cyber activities.
We have also observed malware used to find system vulnerabilities, allowing cyber threat actors to carry out unauthorized activity, such as launching a botnet. In fact, we judge that cyber threat actors are likely shifting their preferred platform for botnets from personal computers to other Internet-connected devices.
Domain Name System Provider Disruption
In October 2016, cybercriminals used a botnet made up of thousands of poorly secured Internetconnected devices in an attempt to artificially generate advertising revenue online. The compromised devices included routers, air quality monitors, baby monitors, surveillance cameras, and other equipment using default usernames and passwords. The botnet conducted a powerful Distributed Denial of Service that disrupted a major website domain manager, temporarily disabling some of the world’s most popular e-commerce, entertainment, and social media sites for millions of users. One of the cybercriminals posted this malware on a cybercrime forum, which let other cyber threat actors create variants of the botnet to use for other malicious activities.Endnote3
The case demonstrates how cybercriminals can exploit a variety of devices to conduct high-profile operations and also advertise their capabilities. By sharing and modifying malware source code, cybercriminals attempt to mask their identities in an effort to avoid legal consequences.
Figure 2: Distributed denial of service
Figure 2 - Description
Cyber threat actors use bots to send hundreds of thousands of requests to a targeted website domain manager. The website domain manager is unable to process the amount of traffic and as a result cannot respond to legitimate requests. A legitimate user will receive an error message as a result.
Financing Criminal Enterprise
Connecting more and more devices to the Internet has also created opportunities for cybercriminals to use malware to generate or “mine” cryptocurrency. In order to do this, cybercriminals use malware that takes control of a device’s processing power for their own purposes, interfering with a device’s functionality. Depending on the type of malware, affected users may not notice anything unusual about their device, while others may experience slower performance, a rapidly drained battery, increased data charges, or a shortened device lifetime.Endnote4 We expect that cybercriminals will continue to develop malware to conduct unauthorized cryptocurrency mining in 2019, especially if cryptocurrency values rise.
Fraud and Extortion
We have observed increasing sophistication in the types of cyber fraud and extortion attempts directed at Canadians. We expect this trend to continue as cybercriminals acquire new tools. Cyber threat actors conduct fraud by posing as legitimate organizations, such as government institutions, banks, or law firms in order to trick Canadians into clicking on malicious links or attachments that attempt to download malware onto their devices. We have also observed cyber threat actors posing as trusted software providers using pop-up ads to lure unsuspecting users into downloading malware.
Fake Canada Revenue Agency Message
Cyber threat actors posing as the Canada Revenue Agency (CRA) have sent fraudulent emails and text messages to Canadians requesting personal information, such as their social insurance number, credit card information, or passport number. Some scams allege that personal information is required so a taxpayer can receive a refund; others threaten that recipients must pay a bogus debt.Endnote5
Scams such as these are a reminder that it is not hard for cyber threat actors to find or develop content resembling a legitimate, trusted source. Phishing messages designed to appear legitimate are a simple, common, and often very effective form of compromise. Links and documents attached to these messages are likely malicious, containing banking trojans or other malware that cyber threat actors use to steal Canadians’ money or identities.
Cybercriminals use both cyber tools and social engineering to extort money or information from Canadians.Endnote6 The most common form of malware used for extortion is ransomware. After cybercriminals infect a device with ransomware, they try to extort money from owners by encrypting their data. Ransomware is no longer a sophisticated cyber tool. Low-sophistication cyber threat actors can now access it as a service that they rent or purchase on cybercrime marketplaces.
Figure 3: Ransomware
Figure 3 - Description
Cyber threat actors create and send messages containing ransomware to unsuspecting recipients. After a recipient opens a spammed message with an attachment, ransomware is installed on the computer and files in the effected computer are encrypted. A ransomware message is displayed stating an amount and deadline for payment to unlock the files, often paid using a cryptocurrency such as bitcoin. If a recipient chooses to pay, an encryption key to unlock the files may be provided.