Once again, it all comes back to the money.
Seventy-one percent of the data breaches that occurred in the last year were financially motivated, according to Verizon’s annual Data Breach Investigations Report. While there’s been uptick in espionage targeting the manufacturing sector, the overwhelming majority of cybercrime still is carried out by hackers primarily interested in making a buck. Just ask the financial companies: For the first time last year, they reported more instances of fraud when a physical card was not used than when a card was present.
“It’s not necessarily that attackers are changing their techniques, or even evolving,” said Alex Pinto, head of security research at Verizon, of the findings. “It’s that attackers are keen to go after whoever is the easiest target … and there was a very sharp uptick on financially motivated social engineering.”
Verizon’s DBIR has become a well-regarded barometer of threats, hacking techniques and other lessons culled from thousands of breaches voluntarily shared with the U.S. telecom giant by enterprises in various industries. This edition, the 12th, includes data from 41,686 security incidents, of which 2,013 were confirmed data breaches.
The objective, Pinto said, is to help security leaders better understand where hackers are most likely to attack, and stop a breach before it occurs.
Sixty-nine percent of the breaches were carried out by outsiders, according to Verizon. Most (52 percent) involved hacking, with 33 percent were social attacks and 28 percent could be blamed on malicious software. A mere 32 percent of the reported incidents involved phishing while espionage, the act of gaining some kind of strategic advantage, was the cause of 25 percent.
The figures again demonstrate how many breaches require human trust to be successful. And attackers know their targets. Some 1.5 percent of the social breaches targeted executives in 2017, while roughly 20 percent were aimed at executives last year, Pinto said. That’s partly because of the ongoing success of business email compromises (BECs), in which scammers steal an executive’s credentials then instruct subordinates to make wire transfers worth thousands of dollars.
“I would wager executives are as protected as anyone in the organization but they’re juicier target,” Pinto said. “Why hack people when you can just ask them for money?”
A few other trends identified elsewhere throughout the 78-page report:
• The number of breaches at point-of-sale systems at retail locations fell by 57 percent last year, perhaps because of higher adoption of chip-and-pin anti-fraud technology. But hackers still are scanning for web application vulnerabilities they can exploit to capture credit data.
• According to the report, financial crime was a larger problem for the manufacturing industry than espionage. Espionage typically is more of a problem for manufacturing than other industries, though researchers noted that the spying in manufacturing may be underrepresented in the DBIR because “partners who typically provide data around cyber-espionage” may not have participated this year. “So, shall we conclude that James Bond and Ethan Hunt have finally routed their nemesis for good? Are we free to buy the world a Coke and teach it to sing in perfect harmony? Probably not.”
• Cryptomining isn’t such a big deal, after all. Despite an abundance of news headlines reporting on an apparent surge in the number of hackers who abuse their access to generate cryptocurrency, Verizon researchers found that the hacking technique isn’t listed in the ten most popular forms of malware. “We were at a hipster coffee shop and it was packed with people talking cryptomining malware as the next big thing,” the report states. “The number in this year’s data set do not support the hype[.]”