The year 2013 was a record year both in terms of the total number of data breaches and the total number of customer records that were compromised, according to Symntec Corp.
The security vendor’s latest Internet Security Threat Report found a 62 per cent rise in data breaches for 2013 over 2012 for a total of 253 reported breaches.
Symantec said at least eight breaches exposed more than 10 million identities each, compared to just one breach of that size in 2012. In total, more than half-a-billion identities were breached in 2013, including financial account details, birth dates, addresses, phone numbers, email addresses, login information, and more.
“The big numbers are driven by the last quarter of the year where we had big breaches all around the Christmas shopping season,” says Kevin Haley, director of security response at Symantec Corp. “We’re seeing a certain amount of patience in saying ‘we’re going to get into the big retailers and wait until the optimal time of the year.’”
Examining the methods used by hackers to extract information from a large corporation also hints at growing maturity.
One form of targeted attack known as “spear phishing” involves a degree of social engineering where an attacker will learn specific information about a target and use it to compose fraudulent messages asking for information or as a trojan horse to infect their computers with malware.
In 2013, 39 per cent of targeted spear-phishing attacks were sent to large enterprises of more than 2,500 employees. Thirty-one per cent targeted medium-sized firms and 30 per cent targeted SMBs. While the total number of spear phishing emails sent dropped from 116 per day in 2013 compared to 83 per day in 2012, the number of spear phishing email campaigns rose by 91 per cent. Those campaigns targeted a more honed group of people and lasted three times longer than the previous campaign.
Modern digital marketers will be familiar with “drip” email campaigns that consist of a series of messages sent to a prospective customer over time, designed to pique their interest and ultimately convert them to a lead. Now it seems the underworld is cluing in to the same techniques. Rather than flood a user with messages over one or two days, the messages are sent over a longer period to try and avoid drawing too much attention to an attack campaign.
“The hackers are being more efficient,” Haley says. “Instead of sending 100 messages into an organization and hoping someone falls for the attack, they’re targeting one or two people in the organization and working to convince them.”
In one particularly clever attacked, dubbed “Francophoned” by Symantec, cyber-crooks would send an infected file attachment through email to a company’s accounting department. Then the attackers followed up by calling the department and saying there was some urgency to paying the invoice, asking the worker to open the infected file.
Spear phishing has been around for several years now as an attack method, so users are starting to clue in, Haley says. Technology blocking the messages has also improved, so attackers have are stepping up their game to succeed with their attacks.
With so much success for attacks of this sort in 2013, it’s likely 2014 will see a lot of imitation attacks, Haley says. Businesses should take a good look at their security policies to protect against spear phishing.