Verizon DBIR 2012: Automated large-scale attacks taking down SMBs
There’s always chatter about the sophistication of malware and the advanced hacking techniques attackers use to steal payment information or sensitive corporate data. While that may be true for targeted attacks against high-value targets such as government agencies, the defense industrial base or financial institutions, the majority of victims, according to the 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf), are smaller companies that fall prey to commodity attacks that expose shortcomings in basic information security best practices. The innovation is in the automation and process refinement behind attacks, and not necessarily in the sophistication of the malware involved, the report suggests.
Small businesses are worried about the bottom line. It’s a matter of expertise, time and resources that they’re not able to defend themselves.Christopher Porter, principal, Verizon RISK team
Christopher Porter, principal with Verizon’s RISK team, said organized cybercrime groups have automated attacks end to end. These groups will scan the Internet looking for exposed PoS or remote administration services, such as remote desktop management, and will use brute force attacks against the logins to gain access. Since many use easy-to-guess, or default passwords on these systems, gaining access can be trivial. Once inside, malware—usually akeylogger—is installed and begins collecting data. The malware is also preconfigured to send data outbound, either via FTP or email, to a Web server under the attacker’s control. The data is then sold on the black market, or, if credentials are stolen, deeper attacks are carried out against bank accounts or other systems within an enterprise.
“We joke that there must be some sort of old crime groups that have gotten their MBAs,” Porter said. “In the last several years of these types of industrialized attacks, we’re seeing innovation in the process and methodology used. The whole process is end to end and it’s massive in scale.