A criminal planting malware to render payment card data unusable and seeking a ransom from the victim to decrypt it, on average, is getting an astronomical 1,425% return on his investment, security vendor Trustwave says.

A $5,900 investment in an exploit kit or ransomware scheme for one month can turn into a profit of approximately $90,000, according to Chicago-based Trustwave's 2015 Global Security Report.

"The 14-fold return on the investment of ransomware and malware attacks … makes these attacks very attractive," said Charles Henderson, vice president of managed security testing for Trustwave.

In a ransomware attack, a criminal basically makes a computer network or its data unable to function until the victim pays to fix it. Sometimes a company refuses to pay, other times it will pay, and maybe not get the code anyway, Henderson said. Trustwave has seen both scenarios play out when investigating breaches.

These findings illustrate the need for financial companies to make criminals' business plans less lucrative or more difficult, Henderson said.

"Criminals are looking to put the least amount of work in for the maximum amount of money," Henderson said. "The way to do that is to attack firms where it is easy to attack them."

Yet, if the complexity of the attack is worthwhile because of the large amounts of card and personal data that can be collected, a criminal will make that effort and get his return on the black market, Henderson added.

Application vulnerability has become a more significant problem than originally thought, as 98% of software applications had at least one vulnerability in 2014, the Trustwave research found.

The most vulnerabilities Trustwave found on one application was 747, and the median number per application increased 43% in 2014, to 20 per application from 14 the previous year.

"It's a meaningful stat, one that should be a gut punch to most developers out there," Henderson said. Such a weakness has caused many companies that felt secure to re-examine processes and realize they must concentrate more on security, he added.

Even though it is getting to be a tiresome warning because it is the same each year, Henderson said, Trustwave examined nearly 500,000 passwords and again found "Password1" as the most common password.

The research also revealed that 39% of passwords were eight characters long, a length that takes a typical hacker only one day to crack. For a 10-character password, the criminal effort becomes 591 days. Trustwave was able to crack 51% of the passwords it studied within 24 hours, and 88% of them within two weeks.

Half of the data compromises Trustwave investigated occurred in the U.S., a 9% decrease from last year, while 24% occurred in Australia, a 13% increase over last year.

"Criminals like to attack companies where large amounts of money are present, and that's  a reason the U.S. is targeted so much," Henderson said. "But criminals are agnostic about where they attack. They are interested in money, not the country of origin."

In 31% of cases, investigators found attackers targeted track data from mag-stripe cards, while in 20% of cases, they sought either financial credentials or proprietary information.

Track data was targeted in 63% of the North American breaches.

Weak remote access security or weak passwords contributed to 94% of the point of sale breaches and 81% of those victims did not identify the breaches themselves, the report said.

A median of 14.5 days elapsed from intrusion to containment in self-detected breaches, while those detected by an external party had 154 days elapse from intrusion to containment.

Thirty-three percent of exploits detected were of Adobe Flash, up 28.2% from the previous year, while 29% were detected in Microsoft Internet Explorer.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry