Denial of Service and use of stolen credentials on banking applications
remain common. Compromised email accounts become evident once
those attacked are filtered. ATM Skimming continues to decline.
927 incidents, 207 with confirmed data disclosure
Top 3 patterns
Web Applications, Privilege Misuse, and Miscellaneous Errors
represent 72% of breaches
External (72%), Internal (36%), Multiple parties (10%), Partner (2%) (breaches)
Financial (88%), Espionage (10%) (breaches)
Personal (43%), Credentials (38%), Internal (38%) (breaches)
Filters are not just for social media photos
We use filters in data analysis to focus on particular industries or threat actors and to pull out interesting topics to discuss. We also exclude certain subsets of data in order to reduce skew and avoid overlooking other trends and findings. This is not to say that we ignore or deny their existence, but rather we analyze them independently in other sections of this study. In this industry, we acknowledge, but filter, customer credential theft via banking Trojan botnets. Their numbers in this year’s data set show that they are not inconsequential matters, over 40,000 breaches associated with botnets were separately analyzed for the financial sector. We discuss both of these scenarios in more depth in the Results and Analysis section, but there is not much to say that has not already been said on the subjects. Below is what’s left and we will start with the common pairings of action and asset varieties.
Keep in mind that breaches are often more than one event, and sometimes more than one of the combinations above are found in the same breach.
I’d rather be phishing
When we look at the two pairings that share mail servers as an affected asset in Table 4, we can see a story developing. Adversaries are utilizing social engineering tactics on users and tricking them into providing their web-based email credentials. That is followed by the use of those stolen creds to access the mail account. There are also breaches where the method of mail server compromise was not known, but the account was known to have been used to send phishing emails to colleagues. So, while the specific action of phishing is directed at a human (as, by definition, social attacks are), it often precedes or follows a mail server compromise. And there is no law that states that phishing cannot both precede and follow the access into the mail account (there are laws against phishing, however). Phishing is also a great way to deliver malicious payloads.