Monday, April 9, 2018
Marking the annual security study's 10th year, the 105-page report revealed fewer physical POS system attacks. Yet retail (16.7 percent of breach incidents) and payment card data (targeted in 40 percent of breaches) remain top targets for cybercriminals. "There's actually been a decline in attacks that target point-of-sale systems, which points to the maturing of security in brick-and-mortar retail shops," said Karl Sigler, Manager of Threat Intelligence at Trustwave.
The report found that ecommerce has taken up much of the slack for on-site exploits. Thirty percent of exploits studied occurred in ecommerce environments versus 20 percent for physical POS environments. Spam, representing 39.2 percent of inbound email, has dropped in recent years. As these types of attacks become less effective, exploits involving phishing and social engineering are gaining, according to Trustwave.
A section of the report addresses a type of phishing attack that has impacted a number of hotels. To initiate the attack, the hotel receives a call from the criminal indicating a problem making the reservation. The clerk is asked to open an email attachment containing reservation details and once opened the hotel computer is infected with malware. Sigler stressed the importance of being skeptical in phone and email situations, and taking steps to confirm the legitimacy of callers or senders before any action is taken.
In cases like this, security can be more of a human issue than one related to technology. "You can buy all of the security products in the world, but unless you have the people and know-how to implement them correctly, they're not going to do anything for your security profile," Sigler stated.
Alarmingly, the study found that 100 percent of web applications tested displayed at least one vulnerability; 11 was the median number detected. Analysts noted that web attacks have become more prevalent and sophisticated. A number of breaches examined in the study indicated careful preplanning on the part of criminals, who probed for weak packages and tools to exploit. Cross-site scripting (XSS) topped the list in this category, involved in 40 percent of web attack attempts identified. This was followed by SQL injection, responsible for 24 percent of web attacks attempted.
XSS attacks induce websites to execute malicious script that directly impact site visitors. "If your website is vulnerable to cross-site scripting, your website itself is not vulnerable to attack, your customers are," Sigler noted. "If I know that your website is vulnerable to cross-site scripting, I can start attacking your entire customer base, which becomes a reputation hit for the organization."
Another trend Trustwave identified is increased use of fileless POS malware, which is more difficult for antivirus protections to detect. "By embedding the malicious code directly in memory, as opposed to writing it to disk, there is a lot greater chance that they're going to get away with the attack," Sigler said.
He pointed out that to combat security issues such as this, a number of heuristic (discovery through problem solving and trial and error) anti-malware systems exist that search for abnormal behavior, as opposed to the presence of a specific file, so that malware can be detected and addressed more effectively.
For a free copy of the report, visit www2.trustwave.com/globalsecurityreport.html.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
