The consumer threat landscape constantly changes. Although the main types of threats (phishing, scams, malware, etc.) remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.
Below, we present a number of key ideas about what the consumer-oriented threat landscape will look like in 2023, and describe how users could be lured into cybertraps with fake content and third-party apps.
Games and streaming services
Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.
Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.
In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies and items to emerge.
Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.
Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. 2023 promises a wealth of new releases. We expect cybercriminals to use these anticipated titles along with streaming service names when distributing Trojans, creating phishing pages and implementing scams.
The talked-about movies and shows that could be exploited by cybercriminals include the new seasons of Euphoria and The Mandalorian; the long-awaited show starring Lily Rose Depp and The Weeknd, “The Idol”; the Barbie movie; and the post-apocalyptic drama series based on the video game “The Last of Us”. The list of potential bait films to be exploited can go on and on, since fraudsters are quick to adapt to consumer tastes. If they see that users are looking for the latest episode of a popular show, they will simply find their way to benefit from that interest.
Social media and the metaverse
New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Cybercriminals can start distributing fake trojanized applications to infect victims’ phones for further malicious purposes. Further dangers are associated with data and money theft, as well as phishing pages aimed at hijacking accounts in the new social media. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.
Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.
Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.
New source of sensitive personal data for cybercriminals
Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack. Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.
Education platforms and the learning process
Online education platforms will attract more cybercrime. In the post-pandemic times, online education has proven to be no less efficient than offline classes, we expect investment in online education platforms and learning management systems (LMS) to increase significantly. The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services, as well as LMS credential theft are all set to grow in 2023.
A greater number of innovative technologies embedded in the learning process. These can be the use of virtual and augmented reality, voice interfaces, process automation (including robotization of communication), machine analysis of user actions, and AI-assisted testing and grading.
Gamification of education. In 2023, we will see greater use of gamification technologies in online learning to achieve functional goals: user acquisition and engagement, holding attention, personalized learning, inclusivity, and reducing resistance to learning. This will expose students to additional risks, the like of which have plagued the gaming industry, among them trolls, phishing, and bullying, on platforms built for communication, competition, and teamwork.
This post appeared first on SecureList – Kaspersky Lab’s Cyberthreat Research and Reports
Author: Anna Larkina, Andrey Sidenko, Roman Dedenok