Cyber-criminals are getting better at using targeted attack methods and strategic planning to break into the digital data vaults held by major corporations, according to Symantec Corp.
Last year set a record both in terms of the total number of data breaches and the total number of customer records that were compromised, the security vendor is reporting in its latest Internet Security Threat Report. The annual report on cyber-security trends shows 2013 saw a 62 per cent rise in data breaches over 2012 for a total of 253 reported breaches. There were also eight breaches that exposed more than 10 million identities each, compared to just one breach of that size in 2012. In total, more than half-a-billion identities were breached in 2013, including financial account details, birth dates, addresses, phone numbers, email addresses, login information, and more.
“The big numbers are driven by the last quarter of the year where we had big breaches all around the Christmas shopping season,” says Kevin Haley, director of security response at Symantec Corp. “We’re seeing a certain amount of patience in saying ‘we’re going to get into the big retailers and wait until the optimal time of the year.’”
Examining the methods used by hackers to extract information from a large corporation also hints at growing maturity. One form of targeted attack known as “spear phishing.” It involves a degree of social engineering where an attacker will learn specific information about a target – for example an executive at a valuable retailer – and use it to compose fraudulent messages asking for information, or as a trojan horse to infect their computers with malware.
In 2013, 39 per cent of targeted spear-phishing attacks were sent to large enterprises of more than 2,500 employees. Thirty-one per cent targeted medium-sized firms and 30 per cent targeted SMBs. While the total number of spear phishing emails sent dropped in 2013 compared to 2012 – to 83 per day from 116 per day – the number of spear phishing email campaigns rose by 91 per cent. Those campaigns targeted a more honed group of people and lasted three times longer than the previous campaign.
Modern digital marketers will be familiar with “drip” email campaigns that consist of a series of messages sent to a prospective customer over time, designed to pique their interest and ultimately convert them to a lead. Now it seems the underworld is cluing in to the same techniques. Rather than flood a user with messages over one or two days, the messages are sent over a longer period to try and avoid drawing too much attention to an attack campaign.
“The hackers are being more efficient,” Haley says. “Instead of sending 100 messages into an organization and hoping someone falls for the attack, they’re targeting one or two people in the organization and working to convince them.”
In one particularly clever attacked, dubbed “Francophoned” by Symantec, cyber-crooks would send an infected file attachment through email to a company’s accounting department. Then the attackers followed up by calling the department and saying there was some urgency to paying the invoice, asking the worker to open the infected file.
Spear phishing has been around for several years now as an attack method, so users are starting to clue in, Haley says. Technology blocking the messages has also improved, so attackers have are stepping up their game to succeed with their attacks.
With so much success for attacks of this sort in 2013, it’s likely 2014 will see a lot of imitation attacks, Haley says. Businesses should take a good look at their security policies to protect against spear phishing.
If you’re wondering how to spot the messages, here’s some common words used in spear phishing campaigns that Symantec distilled into a word cloud: