The Future of Web Threats: 2025 Predictions with Legendary Ethical Hacker, Ysrael Gurt

web threats 2025
Share article
twitter linkedin medium facebook

Introduction

“The future influences the present just as much as the past.” – Friedrich Nietzsche

Nietzsche wasn’t suggesting that future time travelers have been coming back and influencing our present (unless he knew something we don’t). He was just pointing out that our hopes, fears, and expectations for the months and years ahead can strongly influence what kind of future we create for ourselves and others. With that in mind, and because 2025 is right around the corner, we decided to put some forward-looking questions to someone who has made a successful career of using anticipated future trends to inform current practice in the field of cybersecurity, Mr.Ysrael Gurt.   

As a renowned ethical hacker with extensive product development and complex problem-solving expertise, he has achieved significant recognition in cybersecurity. Ranked number 22 in Google’s Hall of Fame, his accomplishments include uncovering vulnerabilities in major platforms like Facebook and Microsoft, and in 2018, Forbes honored him in their “30 Under 30” list for his exceptional hacking abilities and cybersecurity skills.

Ysrael’s commitment to creating a safer online future for all led him to co-found Reflectiz, the web exposure company whose next-generation solutions protect websites from third-party risks, and today he serves as its CTO.

Interview with Ysrael Gurt

Q: How are you today, Ysrael? As 2024 is about to end, I wanted to ask you a few questions about the year ahead, so firstly, what are the most significant web security threats we can expect to see in 2025?

Ysrael Gurt: “I don’t think anyone needs a crystal ball to answer that one. We’ll likely witness a surge in more sophisticated attacks targeting third-party scripts because that’s already been the trend for several years. Modern websites handle vast amounts of valuable data and malicious actors know that finding and exploiting vulnerabilities in these scripts can be one of the easiest ways to extract value from them. Couple that with the rise of AI and its many subsets, including machine learning, neural networks, large language models, and so on, and it’s obvious that criminals will be leveraging them. We’re entering an AI renaissance, so I’ve no doubt they’re already combining these sophisticated systems to automate and refine their attack techniques.”  

Q: So, how will the increasing adoption of AI impact the cybersecurity landscape?

Ysrael Gurt: “Cybercriminals will attack with AI tools, organizations will defend with AI tools, and when each successful breach reveals new methods and exposes unforeseen vulnerabilities, security companies will respond with updated software and regulatory bodies will modify their compliance requirements. It’s an arms race where all sides are using all available means to out-evolve each other.

Criminals are already training AI systems to understand how security software detects malware by pitting the two against each other. The findings from these ‘battles’ give the malware the information it needs to avoid future detection. AI can learn from previous attacks too and it can even help malware adapt to defenses during an attack in real time. Combine that with the fact that some malware groups have the wealth and resources of entire nation-states (who are acting for political and financial gain) behind them, and it’s clear we can expect challenging times ahead.

We’ll see a rise in AI-driven ransomware attacks because close to 50% of them begin with phishing attacks, and we know that AI has been very successful at powering phishing campaigns. Deepfakes are getting better at impersonating people, and they’ve gone beyond just voice cloning. There was a case in February where a finance worker at a multinational was tricked into transferring $25.6 million by a deepfake CTO (and others) on a video call. That’s the level of sophistication available now, but even straightforward email phishing will benefit from AI.

AI assistants can search the Internet for data on the target organization, and then use Generative AI to write highly personalized and convincing email content that mimics the writing style and iconography of the target’s contacts or relevant institutions.

So, we can expect an increase in highly personalized phishing attacks that trick people into handing over key security information and lay the groundwork for attackers to exploit website data. That being the case, the key message for every organization is not to get left behind. Invest in the best cybersecurity solutions available and perhaps consider taking out cybersecurity insurance.” 

Criminals are already training AI systems to understand how security software detects malware by pitting the two against each other. The findings from these ‘battles’ give the malware the information it needs to avoid future detection.

Industries, Human Errors, and Evolving Threats

Q: What specific industries or sectors are most vulnerable to these emerging threats?

Ysrael Gurt: “Any industries that deal with sensitive personal or financial information are going to be at risk. Healthcare, finance, and e-commerce will remain prime targets of course, but as digital transformation accelerates across all sectors, I don’t think any industry can afford to be complacent, and it’s not about size either. If smaller businesses haven’t invested in robust security measures they can expect to be seen as attractive targets by opportunistic attackers. We’ve even seen individual schools shut down by ransomware attacks, which you wouldn’t necessarily expect, so anyone with an online presence of any size should assume they will be targeted and prepare accordingly.”

Q: What steps can organizations take to protect themselves from these evolving threats?

Ysrael Gurt: “They need to take a proactive, multi-layered approach to security, in other words, combine multiple security solutions to achieve the most robust defense. They should implement strong access controls, regularly patch vulnerabilities, and invest in advanced threat detection and response technologies. But perhaps just as importantly, they’ll need to make security a part of company culture, to the point where every employee does everything in a security-aware way. We’ve seen how devastatingly effective social engineering attacks can be, and that’s because humans are often the weakest link in the chain.”  

Q: So, what role does human error play in these attacks, and how can it be minimized?

Ysrael Gurt: “Humans always make mistakes eventually, and attack methods are always evolving, so security training should be ongoing. For instance, you might have employees who’ve grown used to entering sensitive financial data into publicly available generative AI tools. They may be inadvertently making it publicly available, depending on the platform, but would someone who is used to tapping queries into search engines even consider this? Probably not. So, the latest training needs to highlight such risks because the company can’t afford a single slip-up, while attackers only need to be successful once.

In terms of practical measures, it’s important to use approaches such as role-based access to limit how far the damage can spread when human error eventually creeps in. Then you’ve got things like minimum 12-character passwords, multi-factor authentication for accessing critical systems, user training and awareness to recognize and avoid common threats like phishing attacks, and so on. I could go on, but PCI DSS v4.0 addresses these issues quite comprehensively.”

Companies need to take a proactive, multi-layered approach to security, in other words, combine multiple security solutions to achieve the most robust defense.

Web Exposure and Malicious Attacks

Q: How do you see the evolution of Magecart attacks in 2025? What new techniques might attackers employ to steal sensitive card data, and how can businesses protect themselves from these threats?

Ysrael Gurt: “I think Magecart attacks will continue to evolve, leveraging more sophisticated techniques like client-side JavaScript injection and browser extensions. They may target less common payment methods or exploit emerging payment technologies, and to protect against these threats, businesses will need to implement strong web application firewalls, regularly scan their websites for vulnerabilities, and perhaps consider payment tokenization.”

Q: What is the importance of exposure management in the modern security landscape? How can organizations effectively identify and mitigate vulnerabilities in their digital footprint to reduce the risk of attacks?

Ysrael Gurt: “Prevention is always more straightforward than cure, so exposure management has to be a priority. Essentially, it’s good housekeeping, and it goes a long way to minimizing the risk of unauthorized access and data breaches. Things like forgotten tracking pixels shouldn’t be lingering to leak data and invite exploitation, so you need to be regularly scanning for and removing these and any other bits of digital clutter. They only serve to give you a bigger attack surface. This is one of the reasons why Reflectiz maps and monitors every asset in a website’s digital inventory. Although the scope is slightly different, it mirrors the concept of continuous threat exposure management (CTEM) that Gartner outlined in 2022.

Q: Can you elaborate on the concept of web exposure and web risk? How do these factors contribute to the overall security posture of an organization?

Ysrael Gurt: “Web exposure refers to the extent to which an organization’s digital assets are visible and accessible to the public. Web risk is the potential for negative consequences, such as data breaches or reputational damage, if they are compromised. Understanding both is the starting point to improving their security posture using the steps I already mentioned.”

Q: How will web supply chain attacks unfold in 2025?

Ysrael Gurt: “In 2025, we’ll witness a significant escalation in web supply chain attacks. Malicious actors will become increasingly adept at exploiting vulnerabilities in open-source components, compromising third-party vendors, and leveraging AI to automate attacks.

I think a prime target will be open-source repositories. If attackers can introduce malicious code or backdoors into popular libraries, the effects will be magnified massively. We had a small taste of this with the Funnull CDN distributing compromised polyfills to over 100,000 victims, and the same principle applies to third-party vendors. They will remain a weak link in the supply chain, and a single compromised vendor can expose countless organizations to risk.

Social engineering and phishing attacks will continue to be effective, with or without the use of AI, as attackers target developers and employees to gain unauthorized access to systems.

It remains the case that to counter these threats, organizations must adopt a proactive approach. A range of rigorous security measures, including vulnerability scanning, penetration testing, and secure coding practices, are going to be indispensable (and probably eventually mandatory as the scope of regulations widens). They’ll need a strong focus on employee awareness training to help mitigate the risk of human error, and they’ll also want to embrace zero-trust security principles.

I’m aware of how challenging this all sounds, but I’m also confident that organizations can overcome these challenges because the tools and techniques that will keep them safe are available now. By using these resources now and in the year ahead, they can effectively protect their supply chains, safeguard their digital assets, protect their customers from harm, and stay one step ahead of web supply chain attackers.”

I think a prime target will be open-source repositories. If attackers can introduce malicious code or backdoors into popular libraries, the effects will be magnified massively.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free