Has a confluence of fragmented cybersecurity industries, misguided CIOs, and super-motivated state-sponsored actors led to permanent and worsening cyber chaos?
Global-scale content delivery and connectivity networks funnel the world’s data flows daily, and their metrics are a powerful indicator of the cyber threat/fraud landscape at any particular moment in a day.
In the Asia Pacific region, how are some of the major cyber threats emerging or morphing amid raging wars and strong political/trade agendas polarizing the haves and the have-nots (state-sponsored actors included)?
Reuben Koh, Director of Security Technology & Strategy, Akamai, shares some insights with CybersecAsia.
CybersecAsia: What are the most common categories of fraud and abuse that organizations should watch out for?
Reuben Koh (RK): With digitalization booming across industries, we are seeing an increase in sophisticated attacks, and cases of fraud and abuse. Common categories of fraud and abuse include malicious bots, account takeover (ATO) attacks, malicious scripts, and audience hijacking.
In the Asia Pacific and Japan region (APJ) many organizations surveyed were unprepared to deploy specialized protective technologies against fraud and abuse, compared to other global regions.
Furthermore, APJ is the second-most targeted region in the world for malicious bot requests against financial services, accounting for 39.7% of all malicious bot requests worldwide. Some of the use cases uncovered include website scraping to impersonate the websites of financial services brands for phishing scams, and credential stuffing via automated injections of stolen usernames and passwords for account takeovers.
CybersecAsia: Why are the cybercrime rates different for various regions?
RK: Due to the different rates of success per region, cybercriminals target different vertical sectors within each region differently.
For example, the commerce sector in India is the most targeted for such attacks, whereas in Australia the financial services sector is the top target. Other factors may be involved:
- The level of mobile penetration and digital adoption levels. Accelerated digital transformation efforts worldwide have led to rapid innovation and expansion of applications, APIs and their digital supply chains. During the rush to transform to digital, security at times inevitably becomes an afterthought and often has to play catch up with the business.
- Insufficient understanding of the severity of cyber risks, as well as using existing static tools to protect against dynamic threats like malicious bots, could contribute to the regional attack metrics.
CybersecAsia: Do organizations arm themselves against every and all possible threats or try to cater to those affecting their region?
RK: When threats are continuously evolving, numerous and widespread; and zero day vulnerabilities are often exploited by attackers within 24 hours, organizations need to arm themselves against every and all possible threats:
- Ensure that contingency and response plans are regularly updated and able to address the evolving techniques of cybersecurity threats, and leaders should also re-evaluate their risk models in terms of fraud management, customer-based threats, and account takeovers on a timely basis
- Actively participate in cybersecurity community updates and discussions, including attending briefings by local authorities and computer emergency response teams, or joining industry groups that collaborate on threat research
- Make sure that all chosen cyber defense solutions are adaptive enough to counter the ever-changing threat landscape and minimize the risks posed by attackers that are getting more sophisticated every day
CybersecAsia: What cybersecurity capabilities should businesses acquire, build and fine-tune to mitigate various present and foreseeable threats? How will the rising threat of generative AI abuse affect current solutions already in place?
RK: The concept of ‘Adaptive security’ plays a vital role in safeguarding revenue, brand reputation, and customer loyalty. To effectively combat the evolving threats, security and anti-fraud teams require access to more comprehensive and informed data, supported by ongoing threat research, enabling them to respond effectively.
Traditional, rigid security methods are inadequate in addressing the complexities of today’s threat environment, such as the rising threat of generative AI abuse. Some ways that generative AI abuse can affect current solutions in place:
- Automated credential Stuffing: GenAI can automate this process by generating and testing a wide range of username-password combinations against multiple websites and services.
- Behavioral mimicry: GenAI can be employed to impersonate legitimate users, making account takeover (ATO) attacks harder to detect based on unusual activity patterns.
- Voice phishing: GenAI can copy people’s voices to trick victims into sharing private information or money details.
Businesses should consider bolstering cyber resilience through Zero Trust and micro-segmentation to minimize harm and enable recovery even during an ongoing cyberattack. Rather than depending on network-based controls, which are often unwieldy to handle and tricky to manage, micro-segmentation detaches security controls from the underlying infrastructure, providing a higher level of detail and adaptability.
CybersecAsia: In the case of, say, malicious scripts/bot attacks spreading like wildfire, is it correct to say that the cybersecurity industry is slow in ensuring that their products could preempt such attacks, or slow in encouraging that potential customers choose that type of protection even if they did not see the need for paying for that?
RK: From my conversations with customers, I know that, while they understood the risks malicious bots and scripts brought to the business, they either felt that they had other more pressing security priorities; or believed that their current general purpose security solutions should be able to address them.
Things immediately changed once we ran a proof-of-concept risk assessment for them to understand and see the volume and type of threats that were hitting them on a daily basis. It opened their eyes to a whole new level of visibility they did not have previously, and now know how malicious bots could cause a whole lot of damage.
Client-side scripts were another issue customers were grappling with, because not only did they have to discover, understand and stop malicious third party scripts from affecting their customers’ browsers and stealing sensitive data, they also had to figure out how to meet and comply with regulatory requirements such as the upcoming PCI DSS 4.0.
Attackers are constantly adapting to the cybersecurity defenses and developing new tactics. While organizations can be slow to implement third-party solutions such as third-party scripts, which have many advantages and benefits, implementations can also introduce security risks …
CybersecAsia: Are typical business/competitive threats such as audience hijacking now being weaponized by fraudsters? What other types of business threats, unfair competitive tactics or otherwise non-cyber threats do you foresee being weaponized via malware/scripts and other cyber syndicates and state-sponsored actors?
RK: Our internal metrics and research findings show that the convergence of traditional business threats with cyber capabilities opens up new avenues for malicious actors, including cyber syndicates and state-sponsored actors, to weaponize various tactics.
Non-cyber threats that can be weaponized via malware/scripts and cyber means include:
- Supply chain manipulation: Malware injected into supply chain systems can compromise the integrity and security of products or components, causing disruptions, reputational damage, and potentially harming competitors’ products.
- Counterfeit goods and brand dilution: Malicious actors can create counterfeit products or distribute counterfeit materials through digital means, eroding trust in a brand or product, and causing financial harm to legitimate businesses.
- Product defacement: Malicious scripts or malware can be used to deface an organization’s website or product listings, harming its online reputation and customer trust.
Retailers need to be able to identify when and how audience hijacking is occurring so they can take countermeasures to help protect their business and customers from unwanted or malicious in-browser actions.
The CybersecAsia team thanks Reuben for taking the time to share his cyber insights.