Despite the widely publicized Target and Neiman Marcus data breaches, attacks upon credit cards involving compromised point-of-sale (PoS) devices at retail locations barely rose in 2013, says the annual Verizon Data Breach Investigations Report.
In fact, PoS attacks are broadly down over the past few years, says the report, released today (April 22). Meanwhile, attacks upon Web-based applications, such as website content-management systems and e-commerce platforms, were sharply up, as were incidents of espionage and distributed denial-of-service (DDoS) attacks.
"Recent highly publicized breaches of several large retailers have brought PoS compromises to the forefront," the report says. "But at the risk of getting all security-hipster on you, we've been talking about this for years ... the number of PoS attacks in 2012 and 2013 is substantially lower than the number recorded in 2010 and 2011."
Furthermore, PoS attacks are more common among small and medium-sized retailers than among larger ones, and more common still in the travel and hospitality industry, where such attacks made up three-quarters of all reported incidents.
Nine for mortal men doomed to die
The Verizon Data Breach Investigations Report, commonly known as the DBIR, has become a must-read item for security professionals and IT managers since its introduction in 2008. This year's report gathers data from 50 organizations covering 95 countries. Reporting organizations include law enforcement agencies, information-security companies and governmental and non-profit information-sharing centers.
Most striking was the finding that 92 percent of attacks and data breaches could be grouped into just nine categories. In addition to DDoS attacks and attacks upon PoS devices and Web applications, the nine categories included insider misuse, physical theft or loss, crimeware (including banking Trojans and phishing attacks), card skimming, espionage and miscellaneous errors, such as emailing sensitive information to the wrong person.
Other highlights of the report included the startling assertion that nearly two-thirds of attacks involving Web applications were carried out by ideologically motivated groups or pranksters (whose members often overlap) seeking to publicize their cause by hijacking a well-trafficked website.
"Greed takes a back seat to ideology when it comes to Web-app attacks in the 2013 dataset," the report says. "Ideological actors (whether their motivation is social, political or just for plain fun) are less concerned about getting at the crown jewels than they are about getting a platform (in all senses of the word) to stand on."
Also ideologically based — at least until the world learns otherwise — was the months-long DDoS campaign by the Izz ad-Din al-Qassam Cyber Fighters against the websites of major American banks.
The Cyber Fighters' attacks, also known as Operation Ababil, began in September 2012 and continued sporadically through July 2013. The operation stepped up the sophistication of DDoS attacks, using new methods and leveraging Web-based applications to overwhelm servers with a relatively small number of attacking computers.
American intelligence officials claimed the Iranian government was behind Operation Ababil, but could not prove it. The Qassam Cyber Fighters never wavered from their claim that they were ordinary Muslims outraged at the refusal of YouTube to remove the "Innocence of Muslims" video that sparked riots overseas in September 2012.
"Unfortunately, the multilayer command-and-control infrastructure utilized in botnet creation makes it incredibly difficult to say with certainty from open sources that Iran is indeed the wizard behind the green curtain," the DBIR says. "We ultimately decided to go with the publicly stated purpose of the actors and chalk it up to hacktivism."
Nor did the DBIR's authors find any proof for the often-repeated assertion that the Operation Ababil attacks provided cover for outright theft from online bank accounts.
"Although there are scattered reports of this happening, hard evidence we’ve managed to collect doesn't indicate the rate or impact [of such occurrences] justifies the level of angst," the DBIR says. "We sometimes jokingly refer to this as the 'DoS Bigfoot,' not because we don't think it's real, but because we're intrigued and want to capture it on film."
Information theft and money
Espionage, however, was the biggest growth sector of the year, nearly tripling 2012's numbers. That doesn't mean there were three times the number of overall incidents; rather, as the DBIR explains, it's more likely that many more breached organizations came forward than in previous years.
"Like a streetlight illuminating cars parked along the street, more contributors allow us to see more cars," the report states. "Unfortunately, we can also see that those cars have broken windows and stolen stereos."
The report also warns against coming to the conclusion that state-sponsored espionage is largely carried out by China and North Korea. China, which supplied no data of espionage-related attacks upon itself, "definitely was not the only country conducting espionage," the report says.
The tried-and-true method of spear-phishing targeted individuals with malware-laced email attachments remained at the top of espionage attack vectors, comprising 78 percent of all attacks, but that's nevertheless down from 2012's share of 95 percent.
Rocketing up the charts is a newer but very successful ploy — the watering hole attack, or "strategic website compromise" in Verizon's terminology.
"Instead of email bait, SWCs set a trap within (mostly) legitimate websites likely to be visited by the target demographic," the report explains. "When they visit the page, the trap is sprung [and] the system infected."
Such attacks using hidden infections of obscure but important sites have yielded spectacular results, as in the nearly simultaneous penetration of the internal networks of Apple, Facebook, Microsoft and Twitter in early 2013. In those cases, corporate Macs were infected by corrupted pages on a Web forum for iPhone app developers.
However, the main motive for attacks isn't ideology or information, but money, the DBIR's executive summary says.
"Financially motivated criminal gangs are still the dominant type of perpetrator in external attacks — although espionage appears increasingly often in our data set," says the summary. "Despite all the emphasis on 'hacktivism' in the press, ideology-driven attacks remain a very small percentage of the total."
At 60 pages, the DBIR contains a trove of information, much more than we can summarize here, for IT professionals and interested laymen alike. You can download it for free from Verizon's dedicated DBIR page.