In a study of large-scale data breaches in 2008, Verizon Business found that cybercriminals profited mostly from exploiting careless mistakes.
In fact, of the more that 285 million records compromised last year -- more than in the previous four years combined -- "highly sophisticated" attackers largely applied their skills only after gaining access from such openings as unpatched vulnerabilities or simply using default sign-on credentials.
“The overall message about hacking in 2008 was that it was not all that sophisticated,” Wade Baker, research and intelligence principal, Verizon Business, and primary author of the report, told SCMagazineUS.com Wednesday. “The criminals are getting in the door through very low-level means. They are not having to work hard to get in the door. But once they are there, they begin to do some very sophisticated things.”
The Verizon study was based on data analyzed from the company's actual caseload from 90 confirmed breaches. The financial sector accounted for 93 percent of all records compromised last year, and 90 percent of the records stolen was done by groups identified as being in organized crime.
The study also revealed the intricate methodology and sophistication of recent attacks.
“Rather than malware being some worm that makes a lot of noise, criminals put it on the exact system they want, where it would remain stealthy and unnoticed for a long time,” Wade said. “This is where the criminals have to innovate. To get large volumes of data, they have to handcraft their malware. They are going after high-value information, such as PIN information, not just credit card numbers.”
The report also noted the falling price of stolen data. As with any legitimate market system, the unit value of goods and services fluctuates with supply and demand, the report pointed out.
“In 2007, you would have to pay $13 to $14 for stolen credit card information," Wade said. "Recently, we saw that dip under 50 cents That's just simply supply and demand. There was so much [stolen data] out there, the value dropped.”