PINDROP BLOG

Verizon DBIR Shows Focus on Credential Theft in Breaches

Attackers are continuing to refine their tactics and develop new tools, but in a lot of cases they still rely on tried-and-true methods such as phishing, social engineering, malware, keyloggers, and credential theft to achieve their goals. The 2016 Verizon Data Breach Incident Report shows that these tactics and tools are still among the most-used by attackers, who find there’s no reason to change when the old favorites are still working.

The DBIR, which is perhaps the most comprehensive annual report on data breach trends, tracks what kind of tactics attackers use, which organizations are breached, attackers’ motivations, and many other factors in data breaches. One of the most notable themes in this year’s report, released Tuesday, is the continued success of phishing and malware campaigns. Most of the phishing incidents in this year’s DBIR were used as a means to install malware for further attacks. Depressingly, Verizon’s data shows that 30 percent of phishing emails were opened and 12 percent of users clicked on the attachment or link in the email.

“That indicates a significant rise from last year’s report in the number of folks who opened the email (23% in the 2014 dataset) and a minimal increase in the number who clicked on the attachment (11% in the 2014 dataset),” the report says

Because phishing is such an old tactic and users have had years of warnings about falling for it, it’s easy to wonder how people still fall for it. But Verizon’s DBIR team points out that these are not the same old phishing campaigns from 2004. Many of these attacks are run by actors in the top of the food chain.

“However, before we drag these individuals outside and collectively stone them, keep in mind that the main perpetrators for these types of attacks are organized crime syndicates (89%) and state-affiliated Actors (9%) who can put some thought into the ruse they use,” the report says.

“So why do the Actors do what they do? Money, loot, cash, filthy lucre, greed.”

While there’s always a variety of motivations and tactics in play in data breaches, one of the things that remains the same is the use of stolen credentials. In the 2016 report, 63 percent of breaches involved the use of stolen, weak, or default passwords. There’s no need to use custom malware or highly advanced tools when organizations install databases or ICS gear with default passwords. The use of stolen credentials was found across the categories of data breaches, and it continues to be used because it continues to work.

“The capture and/or reuse of credentials is used in numerous incident classification patterns. It is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike. Even fraud committed with stolen payment card data often relies on the static Card Verification Value (CVV) information on the magnetic stripe,” the DBIR says.

Verizon’s report comprises data from more than 100,000 security incidents and more than 2,200 confirmed data breaches across a wide variety of industries around the world. While much of the data set changes from year to year, one of the constants is the main motivation of attackers: Dollar, dollar bills.

“So why do the Actors do what they do? Money, loot, cash, filthy lucre, greed … get the idea? In fact, it can be money even when it’s not money. In the 2013 DBIR it appeared that perhaps the reigning lothario of ‘financial gain’ was in danger of being cast aside in favor of ‘espionage.’ Could such a thing come to pass? No, not really,” the report says.

Data breach detections methods have changed significantly over time, however. Ten years ago, most breaches were found through fraud detection systems or internal discovery. Now, less than 20 percent of breaches is discovered through fraud detection, and more than 40 percent are found by law enforcement agencies.

“All in all, external notification is up. And when you have to wait on external detection to tell you you’re popped, it’s probably too late to keep the horses in the barn,” the report says.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated