Retail sector top cyber attack target

The retail sector suffered the most breach incidences (16.7%) in 2017 as attackers became more organised, the latest Trustwave security report shows.

The retail sector was followed by the finance and insurance industry(13.1%) and hospitality (11.9%), according to the 2018 Trustwave global security report, which is based on the analysis of billions of security events worldwide, hundreds of data-beach investigations and internal research.

However, despite the high volume of attacks on the retail sector, the report shows that incidents impacting point-of-sale (POS) systems decreased by more than a third to 20% of the total, which is attributed to increased attack sophistication and targeting of larger service providers and franchise head offices rather than smaller high-volume targets.

The report notes a marked increase of 9.5% in compromises targeting businesses that provides IT services including web-hosting providers, POS integrators and help-desk providers. A compromise of just one provider opens the gates to a multitude of new targets. In 2016, service provider compromises did not register in the statistics, the report said.

Phishing and social engineering was the top method of compromise (55%), followed by malicious insiders (13%) remote access (9%). This indicates the human factor remains the greatest hurdle for corporate cyber security teams, the report, noting that “CEO fraud”, a social engineering scam encouraging executives to authorise fraudulent money transactions continues to increase.

All web applications tested displayed at least one vulnerability with 11 as the median number detected per application. Most of the web application vulnerabilities (85.9%) involved session management allowing an attacker to eavesdrop on a user session to commandeer sensitive information.

Targeted web attacks are becoming prevalent and much more sophisticated, the report shows, with many breach incidents showing signs of careful preplanning by cyber criminals probing for weak packages and tools to exploit.

Cross-site scripting (XSS) was involved in 40% of attack attempts, followed by SQL injection (SQLi) at 24%, path traversal at 7%, local file inclusion (LFI) at 4%, and distributed denial of service (DDoS) at 3%.

Although 30% of malware examined used obfuscation to avoid detection and bypass first line defences, 90% used persistence techniques to reload after reboot, the report said.

The median time between intrusion and detection for externally detected compromises was 83 days in 2017, up from 65 days in 2016. However, the median time between intrusion and detection for compromises discovered internally dropped to zero days in 2017 from 16 days in 2016, meaning businesses discovered the majority of breaches the same day they happened.

Although down from the previous year, payment card data is still the most highly targeted type of data in breaches, accounting for 40% of data stolen in all the breaches analysed.    

The data shows that several major Necurs botnet campaigns were responsible for propagating ransomware, banking trojans and other damaging payloads, with spam containing malware remaining high at 26%, although down from 34.6% in 2016. More than 90% of spam-borne malware is delivered inside archive file such as .zip and is typically labeled as invoices or other types of business files the report said.