Kaspersky has revealed a list of potential bait subjects that are most likely to be exploited in the upcoming year, as well as some major predictions concerning the consumer-oriented threat landscape in 2023.
The predictions for the year revolve around mental health abuse in social engineering, metaverse assault and in-game virtual currency theft.
Anna Larkina, web content analysis expert at Kaspersky comments: “Although the main types of threats, like phishing, scams, malware remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.”
Games and streaming services
Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.
Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.
In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies to emerge.
Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.
Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. Considering the busy schedule of movie premieres in 2023, we expect to see more Trojans distributed using streaming services, such as Netflix, as a lure, and various phishing and scam schemes aimed at their users.
Social media and the metaverse
New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.
Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.
Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.
New source of sensitive personal data for cybercriminals
Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack.
Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.