Old-School Attacks Are Still a Danger, Despite Newer Techniques

The cold, hard truth? Cybercriminals are still perpetuating plenty of unsophisticated attacks for a simple reason: They work.

Aamir Lakhani, Cybersecurity Researcher and Practitioner, FortiGuard Labs

October 10, 2023

4 Min Read
Skull and crossbones on a digital background, indicating cyberattack
Source: Skorzewiak via Alamy Stock Photo

For all the conversations about new technologies like ChatGPT and the increasing sophistication of attacks, plenty of cybercriminals are still perpetuating plenty of non-sophisticated attacks for the simple reason that they work. These are the scams and fraud that prey on the unsuspecting and the unknowing. In other words, they are the attacks that prey on human behavior. This includes basic phishing attacks and credential harvesting.

For instance, a recent Cybersecurity and Infrastructure Security Agency (CISA) report found that:

  • Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies

  • Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year

  • Valid accounts were responsible for 54% of all attacks studied in the agency's annual risk and vulnerability assessment  

In many situations, threat actors are obtaining these credentials through social engineering. That tactic continues to be successful because it relies on human error, which is much harder to fix with technology. And from a bad actor's standpoint, why create new and/or complex threat vectors when the old, easier ones work just fine?

Automation Is Giving Bad Actors an Upper Hand

We've seen in the past couple of years that bad actors are increasingly weaponizing AI and automation. In particular, automation is helping cybercriminals pull off more attacks, more quickly and more easily. This has certainly been the case for money launderers, who automate recruitment campaigns to find their money mules.  

There's a lot of automation of old attacks, which are still effective because they're not relying on things like viruses or Trojans. They rely only on user credentials and social engineering. These things are very easy to automate.

Automation can also be used to pull off credential stuffing, which achieves account takeover (ATO) for fraudulent use by entering stolen usernames and passwords into the system's login fields. Credential stuffing is a particularly common and effective cyberattack. It's a successful approach because so many people use the same usernames and passwords to log in on numerous systems. Cybercrime estimates suggest that this attack strategy has a low success rate.

In addition, bad actors are using AI more and more to facilitate a variety of nefarious actions, from fooling algorithms that identify aberrant network activity to imitating human behavior through deepfakes. And of course, who can ignore the impact of generative AI on criminals' ability to quickly generate malicious code?

How to Defend Against Pedestrian Attacks

Social engineering continues to work, which means organizations will have to bolster human defenses. This entails cyber awareness and hygiene training at regular intervals to keep employees up to date on all the latest threats, tactics, and best practices.

With the help of comprehensive cybersecurity awareness training, employees will learn how to identify hazards, protect their companies, and look out for themselves. It's critical to emphasize that these guidelines apply to their personal digital lives as well, not simply their professional ones. This fact is increasingly important now that remote work is so prevalent.

Ensure that the workers in your training program learn how to create unique usernames and passwords for each app they use. Though nothing new, this still has to be said because it's essential to security. To assist staff in learning how to recognize phishing efforts, think about incorporating a phishing simulation service. These services make use of real-world simulations to help businesses assess user knowledge of and attention to the risks associated with phishing, as well as to teach and reinforce corporate processes when users encounter phishing attempts.

Additionally, make sure employees learn and practice these tactics:

  • Watch for typos and grammar mistakes in emails. These kinds of blatant errors are common in phishing emails. Make sure to look for valid domain names in the sender's email address as well.

  • Be vigilant to the point of skepticism. Always be wary of any strange or unexpected phone calls or emails.

  • Use a VPN whenever connecting to public Wi-Fi, which is a simple pathway for criminals to disseminate ransomware. By protecting the connection, a VPN stops viruses from being inserted.

  • Don't share sensitive information. Never give out a Social Security number or credit card information, for instance, by email or over the phone.

Basic Attacks Demand Comprehensive Response

While discussions revolve around advanced cyber techniques, simpler attacks still thrive due to their efficacy. Social engineering, phishing, and credential harvesting continue to exploit human vulnerabilities. Bad actors leverage automation to perpetuate these attacks effectively — as is the case with credential stuffing, which yields high success rates.

To counter such pedestrian threats, organizations must strengthen human defenses through ongoing cybersecurity awareness training. Employees need to know all the latest threats as well as how to spot, counter, and report them. Safeguarding both professional and personal digital lives is paramount, especially now that employees can work from anywhere. Yes, some bad actors are still dreaming up sophisticated attacks, but training in the basics will help overcome tried-and-true automation- and AI-assisted attack types.

About the Author(s)

Aamir Lakhani

Cybersecurity Researcher and Practitioner, FortiGuard Labs

Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs. He formulates security strategy with more than fifteen years of cybersecurity experience, his goal to make a positive impact towards the global war on cyber-crime and information security. Lakhani provides thought leadership to industry and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders who help define the future of cybersecurity.  

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights