Ransomware may be earning criminals a very healthy 1425 percent return on their investment, but the real crime is that organisations continue to make schoolboy errors when it comes to securing their public facing networks.
That's the message which came out of the Trustwave Global Security Report 2015.
Trustwave compiles its Global Security Report (GSR) every year, but this time it decided to focus on forensic investigations. Based on its experience of managing 20,000 devices across its five security operations centre, and undertaking more than 570 forensic investigations, Trustwave claimed its report gives it unmatched visibility into security threats.
It found that 43 percent of investigations were in the retail industry, with 42 percent of those being e-commerce breaches and 40 percent point-of-sale (POS) breaches. Twenty-eight percent of hacks resulted from weak passwords and another 28 percent from weak remote-access security.
Put those two sets of statistics together and you get the disturbing fact that 94 percent of POS system cracking was achieved by exploiting weak passwords or poor remote-access security.
In 31 percent of cases Trustwave investigators found attackers targeted payment card track data (up 12 percentage points over 2013). Track data is the information on the back of a payment card that's needed for an in-person transaction.
“The POS malwares noted in the report utilise a common weakness in current US retailers, in that the card magnetic stripe data (known as Track data) is passed to the POS and can be captured within the POS by the malware,” Matthew Hall, PCI QSA consultant, Sec-1, told SCMagazineUK.com.
“With this data, a criminal can sell the track data itself or directly use it to create cloned copies of the card. With the move to EMV [chip & pin], track cannot be captured, reducing the possibility that the criminal can clone card to perform fraudulent transactions. US retailers are already working towards updating systems to be EMV compatible, although take up is slow.”
“Once a hacker gets inside a retailer network they can often get access to the PoS devices, either directly or by bridging over from the infrastructure they have breached to the network where the PoS devices are hosted. So protecting the accounts that manage PoS devices and networks is essential,” said Boatner Blankenstein, director of solutions engineering at Bomgar.
Sadly, 81 percent of victims did not detect the breaches themselves, taking a median of 86 days to detect it, contributing to the overall 111 days (median) from intrusion to containment.
However, the statistic that has hit the headlines is Trustwave's estimate – based on original research into the black market – that attackers can earn a 1425 percent return on investment from the purchase of exploit kit, based on an investment of US$ 5900 (£4,000) for a one-month campaign against earnings of US$ 90,000 (£60,000).
The attention garnered from this statistic is not unwelcome, says Trustwave. Oliver Pinson-Roxburgh, EMEA manager of systems engineers at Trustwave, told SC in a telephone interview that it helps bosses understand that ransomware and hacking isn't all about geeks in their bedrooms.
“This [statistic] is a good way for security professionals to communicate the message of this report upstream,” said Pinson-Roxburgh. “It helps the executives in the C-suite understand that threat. They tend to be more business minded and if they can see that attackers are making a return on investment, it will help them understand how this business is changing and adapting.”
Tom Williams, consultant at Context Information Security, said the barrier to entry to ransomware was already very low and this statistic would only encourage more to enter. “As more enter the market in order to deploy Ransomware in anticipation of significant returns, other criminals will seek to meet the demand by developing newer and increasingly more sophisticated variants,” he said.
Paul Lipman, CEO at iSheriff, said the news of ransomware being highly profitable is “old news” but agreed that we will see increasingly pernicious and advanced exploits. “This new breed of attack will be context aware, utilizing a variety of techniques to identify whether it has infected an individual home user, a small business, or a large enterprise. The ransom will be set according to the context, enabling cyber-criminals to increase their return on investment by orders of magnitude,” he said.
Geoff Sanders, co-founder and CEO of LaunchKey, blamed the success of ransomware on individuals and vendors who implemented security poorly, adding it will take a “concerted effort” to stop these attacks. “Rather than being a direct victim of the malware, organisations are typically the unknowing participant utilised as the transport vessel for the delivery of the ransomware itself. Even for individuals that find themselves the victim of ransomware, it's unlikely they'll know the specific compromised website, application, or email that was the source of the malware,” Sanders said.