During the first nine months of 2011, Dell SecureWorks blocked an average of 91,500 attacks per retailer, compared to 63,651 during the final nine months of 2010. The rise is primarily due to an increase in SQL injection assaults against servers, as well as attacks stemming from web-based exploit kits, Ben Feinstein, director of operations and analysis with the Dell SecureWorks Counter Threat Unit, told SCMagazineUS.com on Tuesday.
Other verticals have also experienced an increase in attacks, though not to the same degree as the retail sector, he said. Merchants are being more heavily targeted than those within other sectors, likely because they maintain vast amounts of information that attackers want, and often have less stringent security controls.
Specifically, attackers have been hitting retailers hard with injection attacks, a technique for exploiting web application security flaws by inserting malicious SQL code in web requests. Though this type of attack has been well known for some time, it still proves successful for cybercriminals.
“Technically speaking, if attacks increased against the retailers, this by itself doesn't mean they are lagging behind with respect to security — only that they are increasingly targeted and they have something cybercriminals want,” Jeremiah Grossman, chief technology officer at web security firm WhiteHat Security, told SCMagazineUS.com in an email. “Having said that, they could, in fact, be lagging behind.”
Data from WhiteHat appears to suggest so. In 2010, 51 percent of retailers had at least one serious vulnerability, including SQL injection, exposed every day of the year, according to WhiteHat Security's website security statistics report, released in March. Moreover, retailers had an average of 404 serious vulnerabilities per website in 2010, higher than any other vertical examined in the study.
Grossman said the problem is likely to continue unless “something drastic changes.”
Part of the issue may come down to regulations, Feinstein said.
Hackers sometimes find and exploit flaws in retailers' web apps that have not been tested in accordance with the Payment Card Industry Data Security Standard (PCI DSS), he said. As a result, they use that foothold to access other systems containing more sensitive information.
Those within the financial sector, in contrast, have been dealing with regulations to protect data for a longer time and may have more mature security policies, such as centralized patch management, or technologies to protect employees as they browse the web, like secure web gateways or content-filtering devices, Feinstein said.
Over the past nine months, Dell SecureWorks has also blocked its retail customers from a large amount of web-based exploit kit attacks. These exploit kits, such as Black Hole, allow cybercriminals to distribute a variety of malware by capitalizing on flaws in browsers and browser plug-ins.