Data Breaches

Last year a lot of attention was focused on cyber-espionage, threats to privacy, and the acts of malicious insiders. Events at the end of 2013 provided a painful reminder that cybercrime remains prevalent and that damaging threats from cybercriminals continue to loom over businesses and consumers.

Eight breaches in 2013 each exposed more than 10 million identities. Targeted attacks increased and end-user attitudes towards social media and mobile devices resulted in wild scams.

Symantec’s 2014 Internet Security Threat Report covers a wide threat landscape and calls out seven areas that deserve special attention.

2013 – Year of Mega Breach

Symantec’s 2012 Internet Security Threat Report called 2011 the Year of the Data Breach. The year was deemed extraordinary, because in addition to increased cybercrime-driven breaches, the Anonymous group breached dozens of companies in acts of hactivism.

With Anonymous less active, breach numbers returned to more predictable growth in 2012. And then came 2013. If 2011 was the year of the breach, then Symantec says 2013 can best be described as the Year of the Mega Breach.

The total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. It was also larger than the 208 breaches in 2011. But even a 62 percent increase does not truly reflect the scale of the breaches in 2013. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities. In 2011, only five were of that size.

2011 saw 232 million identities exposed, half of the number exposed in 2013. In total, over 552 million identities were breached in 2013, putting consumer’s credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, passwords, and other personal information into the criminal underground.

Targeted Attacks Grow and Evolve

While targeted attacks continue to rise, Symantec observed an interesting evolution in these attacks. As first reported in last year’s report, attackers have added watering-hole attacks to their arsenal. But reports of the death of spear-phishing are greatly exaggerated. While the total number of emails used per campaign has decreased, and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves saw a dramatic 91 percent rise in 2013.

According to the report, this “low and slow” approach (campaigns also run three times longer than those in 2012) are a sign that user awareness and protection technologies have driven spear-phishers to tighten their targeting and sharpen their social engineering. Symantec also observed the addition of real world social engineering, combining virtual and real world attacks, being employed to increase the odds of success.

This year’s Internet Security Threat Report also introduces a new calculation. Using epidemiology concepts commonly applied to public health issues, Symantec has estimated the risk industries and users face of being targeted for attack. It sends a warning to some industries that may view the volume of attacks against them as no cause for concern.

For instance, while the most targeted attacks in 2013 were against Governments and the Services industry, the industries actually at most risk of attack were Mining (odds of 1 in 2.7), Governments (1 in 3.1), and then Manufacturing (1 in 3.2).

Zero-day Vulnerabilities and Unpatched Websites Facilitated Watering-Hole Attacks

More zero-day vulnerabilities were discovered in 2013 than any other year that Symantec has tracked. The 23 zero-day vulnerabilities discovered represent a 61 percent increase over 2012 and are more than the two previous years combined.

Zero-day vulnerabilities are coveted because they give attackers the means to silently infect their victim without depending on social engineering. And by applying these exploits in a watering-hole attack, they avoid the possibility of anti-phishing technology stopping them.

Unfortunately, legitimate web sites with poor patch management practices have facilitated the adoption of watering hole attacks. Symantec says 77 percent of legitimate websites had exploitable vulnerabilities and 1-in-8 of all websites had a critical vulnerability. This gives attackers plenty of choices in websites to place their malware and entrap their victims.

Typically cutting-edge attackers stop using a vulnerability once it is made public. But this does not bring an end to their use. Common cybercriminals rapidly incorporate zero-day vulnerabilities to threaten all of us. Even though the top five zero-day vulnerabilities were patched on average within four days, Symantec detected a total of 174,651 attacks within 30 days of these top five becoming known.

Ransomware Attacks Grew by 500 percent in 2013 and Turned Vicious

Scammers continued to leverage profitable ransomware scams – where the attacker pretends to be local law enforcement, demanding a fake fine of $100 to $500. First appearing in 2012, these threats escalated in 2013, and grew by 500 percent over the course of the year. These attacks are highly profitable and attackers have adapted them to ensure they remain profitable.

The next step in this evolution was Ransomcrypt, commonly known as Cryptolocker. This is the most prominent of these threats and turns ransomware vicious by dropping all pretense of being law enforcement and is designed to encrypt a user’s files and request a ransom for the files to be unencrypted. This threat causes even more damage to businesses where not only the victims’ files are Encrypted, but also files on shared or attached network drives.

Holding encrypted files for ransom is not entirely new, but getting the ransom paid has previously proven problematic for the crooks. With the appearance of online payment methods, Ransomcrypt is poised for growth this year. Small businesses and consumers are most at risk from losing data. Prevention and backup are critical to protecting users from this type of attack.

Social Media Scams and Malware Flourish on Mobile

While the prevalence of mobile malware is still comparatively low, 2013 showed that the environment for an explosive growth of scams and malware attacks is here. Symantec’s global survey of end-users showed that 38 percent of mobile users had already experienced mobile cybercrime.

Lost or stolen devices remain the biggest risk, but mobile users are behaving in ways that leave themselves open to other problems. Mobile users store sensitive files online (52 percent), store work and personal information in the same online storage accounts (24 percent) and share logins and passwords with families (21 percent) and friends (18 percent), putting their data and their employers’ data at risk. Yet only 50 percent of these users take even basic security precautions.

The number of brand new malware families slowed as malware authors worked to perfect existing malware. In 2012, each mobile malware family had an average of 38 variants. In 2013, each family had 58. However, several events in 2013 showed that mobile users are highly susceptible to scams via mobile apps. Symantec says that mobile malware has not yet exploded because the bad guys have not needed it to get what they want.

Prevalence of Scams Fail to Change User Behavior on Social Media

Surrounded by their friends, users continue to fall for scams on social media sites. Fake offers such as free cell phone minutes accounted for the largest number of attacks of Facebook users in 2013, with 81 percent in 2013 compared to 56 percent in 2012.

And while twelve percent of social media users say someone has hacked into their social network account and pretended to be them, a quarter continue to shared their social media passwords with others, and a third connect with people they don’t know. As social media becomes more and more of an activity done on mobile devices, these bad behaviors are likely to have worse consequences.

Attackers are Turning to the Internet of Things

Baby monitors, as well as security cameras and routers, were famously hacked in 2013. Furthermore, security researchers demonstrated attacks against smart televisions, automobiles, and medical equipment. According to Symantec, this gives us a preview of the security challenge presented by the rapid adoption of the Internet of Things (IoT).

The benefit to attackers of compromising these devices may not yet be clear, but the risk is real. IoT devices will become access points for targeted attackers and become bots for cybercriminals. Of immediate concern are attacks against consumer routers. Computer worms are making a comeback as attackers target devices without users to social engineer, but with unpatched vulnerabilities they can remotely exploit. Control of these devices can prove profitable for attackers, using DNS redirection to push victims to fake websites, usually to steal financial details.

Today, the burden of preventing attacks against IoT devices falls on the user. However, this is not a viable long-term strategy. Manufacturers are not prioritizing security – they need to make the right security investments now. The risk gets even higher with the proliferation of data being generated from these devices. Big data is big money and unless the right security steps are taken, it’s all available for an enterprising cybercriminal.

To access the full 98 page “2014 Internet Security Threat Report”, go to this Symantec web page.