Cybercrooks have plenty of new tricks up their sleeves to steal card data from merchants. The attacks aren’t likely to let up, mainly because retailer payment and business systems remain a treasure chest for data pirates, a new study says.
Cyberattacks are growing in number and sophistication against businesses because card data, personal data and intellectual property remain hot sellers on the black market, Trustwave says in its 2013 global security report.
The most popular malicious software family was "memory scraping," through which attackers target any application that handles credit card numbers, Trustwave says.
As many as 20% of new case samples included memory scraping functions, an activity that was detected in nearly 50% of investigations where associated malware had an identifiable data-collection function.
Memory scrapers often come in pieces, including separate discover and capture tools, Trustwave says.
The Chicago-based data security provider collected data from more than 2 million network and application vulnerability scans, and from 400 Web-based data breaches publicly disclosed in 2012. In addition to using information from various investigative agencies, Trustwave also analyzed data from more than 20 billion e-mails collected from 2007 to 2012.
The risk of a data breach is becoming greater for consumer-facing businesses and brand-name chains, Trustwave says.
The report reveals SQL (structured query language) injection and remote access made up 73% of the infiltration methods used by criminals in 2012. In addition, versions of the Blackhole exploit kit, the most common tool for Web hackers, made up more than 70% of all attacks. Sixty-one percent of attacks targeted Adobe Reader PDF files.
Many businesses are leaving the doors open for attackers by ignoring security basics.
Organizations encounter remote administration challenges, the use of weak or reused passwords, a lack of a properly configured firewall, a lack of software updates, and a lack of education among employees, Trustwave says.
"A lot of companies are not hearing the message [about protecting data] and do not do the basic steps for security," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
For small merchants, it is often a lack of awareness about data breaches because they are more focused on making it through the recession and running their business, Conroy says. "There is not a full realization that they are targets."
Larger companies are more aware of data security and do all of the compliance tests and updates, but they also fall into traps, Conroy says.
"They can let their guard down just one time with a new release of data that either doesn’t go through all of the proper channels or is just protected by a default password," Conroy says. "And the bad guys aren’t going to let that slip by."
Trustwave says the crooks have turned the tables on the common protective measure of encrypting data by doing the same thing when stealing data. Criminals encrypted more than 25% of all data they were stealing, the report says.
Because of the most recent trends and introduction of more powerful malware, businesses will discover that off-the-shelf detection software is becoming ineffective, making multiple layers of defense still the strongest strategy, Trustwave says.
Outsourcing of technology and business systems saves companies money only if it results in no attacks on data, but third-party vendors are just as vulnerable, Trustwave says.
Early last year, Trustwave encouraged independent sales organizations to provide merchants with added security against malicious-software attacks as the company prepared to beef up its software offerings after acquiring M86 Security.