Kaspersky has revealed a list of potential bait subjects most likely to be exploited in the coming year, as well as some big predictions regarding the consumer-oriented threat landscape in 2023.
This year’s predictions revolve around mental health abuse in social engineering, metaverse abuse and in-game virtual currency theft.
Anna Larkina, web content analysis expert at Kaspersky comments: “Although the main types of threats, such as phishing, fraud, malware, remain the same, the lures used by fraudsters vary greatly depending on the time of year, current major events, news, etc. This year we have seen peaks in cybercriminal activity targeting users in the middle of shopping and back-to-school seasons, major pop culture events, such as the Grammys and Oscars, movie premieres, new smartphone announcements, game releases, etc. The list goes on, as cybercriminals are quick to adapt to new social, political, economic and cultural trends, and come up with new fraudulent schemes to take advantage of the situation.”
Games and streaming services
Users will face more scams with game subscriptions. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, offering to play subscription games not only on consoles, but also on PC, in order to increase its market share. The larger the subscription base, the greater the number of fake key sales schemes and attempts to steal accounts. These schemes can be very similar to the streaming scams we have observed in recent years.
Lack of game console to be exploited. The shortage of consoles, slightly eased in 2022, may start to increase again as early as 2023, spurred by the release of PS VR 2 by Sony. The headset, which requires a PS5 to work, will be a compelling reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors of which began to circulate in mid-2022, which could trigger more demand than can be satisfied. Fake pre-sale offers, generous “giveaways” and “discounts”, as well as online store clones selling hard-to-find consoles – we expect all these types of scams to take advantage of the console shortage.
Virtual currencies in the game will be in demand among cybercriminals. Most modern games have introduced monetization: selling in-game items and boosters, as well as using in-game currencies. Games that include these features are the primary targets of cybercriminals when they process money directly. In-game items and money are some of the main targets for attackers who steal players’ accounts. This summer, for example, cyber thieves stole 2 million dollars‘ worth of items from an account they hacked. In order to obtain in-game valuables, fraudsters may also trick their victims into a fraudulent in-game deal. In the coming year, we expect that new schemes related to the resale or theft of virtual currencies will appear.
Cybercriminals will take advantage of long-awaited titles. This year, we’ve already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are, in 2023, we’ll see more attacks related to games that will launch that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams targeting these games, as well as in Trojans disguised as these games.
Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that is released on select platforms. An increasing number of television programs are becoming not only a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. Considering the busy schedule of movie premieres in 2023, we expect to see more Trojans distributed using streaming services, such as Netflix, as bait, and various phishing and scam schemes targeting their users.
Social media and the metaverse
New social media will entail more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will already happen in VR, but rather in AR. As soon as a new trendy app appears, so does risk for users. Privacy is also likely to be a major concern, as many startups fail to configure their applications in accordance with privacy best practices. This attitude can lead to a high risk of compromising personal data and cyberbullying in the new social media, no matter how trendy and practical it may be.
Exploitation of the metaverse. Right now, we are only taking the first steps towards full immersion in virtual reality, and are already using metaverses for entertainment while testing industrial and business applications of this new technology. Although there are only a few metaverse platforms so far, they have already revealed risks that future users will face. Since the metaverse experience is universal and does not comply with regional data protection laws, such as GDPR, this can create complex conflicts between regulatory requirements regarding data breach notification.
Virtual abuse and sexual abuse will spill over into metaverses. We’ve already seen cases of avatar rape and abuse, despite attempts to build a protection mechanism into the metaverse. Since there are no specific regulations or moderation rules, this scary trend is likely to follow us into 2023.
New source of sensitive personal data for cybercriminals
Data from mental health apps will be used in precisely targeted social engineering attacks. Taking care of your mental health is no longer just some kind of fad or trend, but an absolutely necessary activity. And if at some point we are used to the fact that the Internet knows almost everything about us, we have not yet realized that now our virtual portrait can be enriched with sensitive data about our mental state. As the use of mental health apps increases, so will the risk of this sensitive data being leaked or obtained by a third party through a hacked account. Armed with details about the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack.
Now imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data about the mental health of business executives. And if you add to this data, such as facial expressions and eye movements, that sensors in VR headsets collect, the leakage of this data could prove to be catastrophic.